By the end of this module you should be able to:
- Use security tools when browsing
- Determine if a website is secure
- Avoid malicious websites and pop-up windows
- Create a safe password
- Identify and avoid suspicious emails, including links, attachments and scam requests for information
Keeping government information secure is a requirement of our job..
Historically, we’d have installed all the software we needed to use at work onto our DH computers, and it would have been thoroughly tested. Nowadays, with fast internet connections and cloud computing, we can access lots of this software for free online – but it doesn’t go through that testing process, and isn’t necessarily secure.
The answer isn’t total lock-down. We can be open to web-based applications like Trello, Doodle polls, Eventbrite and Google Drive – we just need to make sure we’re using common sense to manage different kinds of information securely.
You should:
- Do your ‘responsible for information training’
- Check all the DH Guidance on password and computer security
- Check all the DH Guidance on managing information risks
- Check the DH Acceptable use of ICT policy
- Use your common sense. Refer to the policies above to help you make a decision. Check with someone if you’re unsure. If using a web-based application for a certain piece of work feels uncomfortable, don’t take the risk. You can get advice from the Security and Business Continuity team and the Data protection and Information Risk Management Team
- Don’t give personal or confidential information to people or websites that you don’t recognise
Safe passwords
There is plenty of advice online regarding how to set secure passwords.
Secure websites
Secure websites can be identified by a little ‘s’ for ‘secure’ following the http: part of the address
If you enter data into http://www.theguardian.com/ , it won’t necessarily be encrypted on its journey from the website to the server. However, data stored by https://www.facebook.com/, will be encrypted en-route, so the traffic cannot be intercepted.
An easy way to check the authenticity of a website that is requesting personal or confidential data is to look for the https://
Websites sometimes offer “two-step verification” to increase security. For example, you can make a small change your facebook settings, and when you log on from a new location, it will check that you are who you say you are by asking you personalised questions, or sending a message to your phone.
If you are storing data on Google Drive, or in your gmail, you can beef up your Google security for free
Pop-ups
Pop-ups are annoying. Sometimes malicious windows pop-up unrequested. They are automatically blocked on work browsers, but if you search “pop up blocker” followed by the name of your browser, google will tell you how to do it on your home computer.
Virus scanning
DH networks are built to be secure – so you don’t need to worry about virus scanning or firewalls at work (though you definitely should install them on home computers).
Spam email
Most modern email providers will automatically filter spam messages into junk mail. The key message here is not to open messages that come from senders you don’t recognise, and not to click on links or attachments in those emails. Often phishers will try to copy the style of emails from reputable organisations – if you receive this sort of message, let the organisation know (you can tweet them, or find their contact details on their legitimate website). You can read more advice on preventing phishing and the get safe online site is another good place to learn.
Example
Alex is co-ordinating her team’s preparation of a consultation document for publication in a few months.
She needs to:
- edit the document based on colleagues’ suggestions
- ensure only one draft is in circulation at any one time
- make sure that people have enough time to contribute to the document
Some of the people she will be working with are external and do not have access to the DH computer system.
Alex thinks this might be a perfect opportunity to introduce Google Drive to her team.
She decides to consult her team’s Deputy Director first, as she’s aware that this is a sensitive policy document and it may not be appropriate for Google software. Her Deputy Director agrees: the subject matter of the document is controversial and she doesn’t want Alex to store it on the internet.
Alex agrees, but there are still some ways she could use Google Drive to make her job easier.
She can:
- upload and share a list of publication and clearance deadlines so that everyone (within and outside the organisation) has easy access to them.
- create a spreadsheet to record annual leave and reminds everyone involved in the consultation to regularly update it, so that she knows when key people are going to be in the office.
- create a work log – a table that shows who has seen each version of the document, and whether they have cleared it.
It’s not just easier for her: it also makes everybody else in the team accountable to each other.
Online security is about balance. Alex has balanced the risks of sharing different types of information with the opportunities that online tools provide for working more openly and conveniently.
The result isn’t perfect – she still has to email everybody with the latest attachments, which is labour-intensive – but it’s the right level of security for the work she’s doing.
Further information
The DH intranet has a useful guide to using IT in the department, with some tips on online security. (Note: this is currently being reviewed and updated by information services and digital teams to reflect current guidelines around open source tools.)
You can also brush up on government security classifications.
If you have a question about a specific online security issue, visit this government partner website which has comprehensive advice on everything from working at home to spam emails and identity theft.