Guidance for using your own device for work purposes
If you use your own device for University work, it is important to ensure that both it and the information it contains is appropriately protected.
Although use of personally owned devices for work purposes brings many benefits to the University and provides convenience and flexibility to members of staff, it can pose a high security risk if devicesare left vulnerable to theft, loss and unauthorised access.
The following suggestions have been developed specifically for using your own device for University work but also includes good practice guidance for you to use even if you don't use it for work as it will help you protect your devices and the information they provide access to.
- If your device has fingerprint or face recognition and encryption functionality, turn it on.
- If your device has a location finding functionality in the event of it being lost or stolen turn it on and configure it to enable you to remote-wipe it should it become lost.
- Keep your software and operating system up to date.
- Update your anti-virus or malware protection and if you don’t have any and if your operating system does not already include it, consider purchasing some.
- Set your device to lock automatically when it is inactive for more than a few minutes.
- If you acquire a second hand, before using it for the first time, restore it to its factory settings.
- Only download applications (‘apps’) or other software from reputable sources and do not use software you know to be pirated.
- If you feel able to do so change the default password of the device controlling your home wireless network and that of your wireless network itself. Your Internet Service Provider will be able to help with this.
- If using wireless networks away from home, using only those you know and trust. Consider disabling automatic connection to open, unsecured Wi-Fi networks and make risk-conscious decisions before connecting.
- Set and use a passcode (e.g. pin number or password) to access your devices. If you already have one but haven’t changed it for some time, consider setting a new one.
- Whenever possible, use a stronger passcode than the minimum allowed. E.g. rather than a 4-digit PIN, use a 6-digit one.
- Use a different passcode or password for different devices and websites: then if one is compromised, all of your other accounts and devices are still safe.
- Where you can, enable two-step (or multi-factor) authentication whenever possible.
- Use a strong password made up of either a long string of characters made of upper case and lowercase letters, numbers and symbols or alternatively a passphrase made up of at least three random words joined together e.g. “tree spanner pencil”.
- Do not share passcode.
- If you can’t remember them all consider the use of a password manager. This is a specialised program that securely stores all your passwords in an encrypted format protecting yourself from social engineering attack.
- Attackers may target you rather than your computer or other devices when you are working from home, and may target you. They may attempt to trick you into giving them confidential information, passwords or control of your computer. The most common types:
- creating a sense of urgency, often through fear, intimidation, a crisis or an important deadline often from trusted organisations, such as banks, government or IT providers;
- Pressuring you to bypass or ignore security policies or procedures;
- An offer too good to be true (e.g. winning a lottery or a free offer);
- A message from a friend or colleague which is not in the right tone or which doesn’t seem quite right.
- Avoid the use of memory sticks as they can be easily lost and may carry viruses.
- Our preference is for you not to share your device with others but if other members of your household do use your device, you must ensure that they cannot access University information, e.g. with an additional account passcode or by logging out of University systems when you finish using the device for work.
- Instead, we recommend using the University Portal or Office 365, OneDrive or sending documents to your email address.
- Make sure that when you work on University documents you save them back to University systems or email them to yourself rather than onto your hard drive.
- Organise and regularly review the information on your device. Delete copies from your device when no longer needed, ensure that downloaded files are deleted and removed from “trash” or “recycling bin” folders and that any caches (which are used to store temporary files) are also cleared.
- When you finish working on your device ensure you log out of University systems.
- Keep any paper you take home to an absolute minimum and ensure you keep a record of what files you are taking home and check on that record that they have all been brought back upon your return.
- Do not leave paper records unattended outside your home (e.g. in a car).
- Do not leave your device unattended.
- If possible lock away any devices and paper records when you go out.
- If you have any confidential waste to get rid of, either use a domestic shredder if you have one or keep hold of it and dispose of it confidentially when you get back to work.
- If you replace your device ensure you do a full back up, then delete all data on the device and then do a full system reset.
If anything goes wrong
- The loss or theft of a device is personally distressing but if you’re also using it for work purposes, it can also have serious consequences for other people and their privacy. In addition, there may be significant legal, financial and reputational consequences for the University.
- If you are using your own device for work purposes and it is lost or stolen contact IT Services via ServiceNow or the Data Protection Team on firstname.lastname@example.org.