Matters of information security concern all of us — we are all responsible for the security of data and systems entrusted to us. We have compiled some advice on this topic in this section.
The 10 Golden Rules of Information Security
1.) Secure your computer, your workspace, and your documents!
Your computer is the last barrier between you and your data. Make sure no-one but you has access to your device. This also applies to your physical workspace, e.g. you office desk, and all documents, records, and files stored there. Please ensure that such documents are locked away securely and inaccessible to others so that no-one can inspect, abstract or damage them. In practice appropriate measures include:
Lock your computer (or sign out of your account if you share a device) as soon as you leave your workplace, even if it is just for a short time.
Lock away all confidential documents, including external data media such as hard drives or USB sticks.
Check if data encryption is a feasible option for your data. Current operating systems can carry out device encryptions by default if the corresponding setting has been turned on:
2.) Keep your software up-to-date!
Update prompts and security alerts can be bothersome — and oftentimes they are ignored or clicked away. However, security breaches can make systems and software unsafe to use. Third-party attackers may be able to compromise your device if security holes are exploited. To prevent this, update your software regularly, especially if the software requests you do it as soon as possible! Your operating system, your internet browser, and your PDF software have the highest priority in this regard as they are the most vulnerable software. For this reason, always pay attention to security alerts.
3.) Take caution when using external drives!
USB sticks, external hard drives and other such storage media may pose significant security risks. These devices can potentially install harmful malware into your network or the network of the university. Never connect external drives whose origin you do not know (e.g. because you found them somewhere) to your computer or portable devices. Be careful when using external drives from third parties like colleagues, friends, and family — their drives may be compromised without their knowledge.
4.) Use secure passwords!
The most important advice for this is: Do not use the same password for all services! Otherwise a password illegally obtained in e.g. a cyber attack may be used to compromise more than one account and/or system. If you use the same password for your private online shopping and your business accounts, one security breach in one automatically puts the other one at risk as well.
5.) Never share your login details with others!
Never share your login details or passwords with others for any reason, not even WiFi or VPN access. Just don’t.
This applies to the login details of all accounts you may have for digital services. Please note that the terms and conditions of your university account explicitly prohibit sharing your account data with third parties. Doing so may result in a ban of your account and that further action under German labor law may be taken against you.
6.) Backup your data on a regular basis!
A regular backup of your data is important to prevent data losses in the case of hardware defects or other issues. Not backing up your data risks not being able to access any of it in the case of crashes, malfunctions or compromisings. Please bear in mind that this also applies to data on external drives.
USB sticks in particular are prone to data losses and should not be used as a backup medium.
Backup on MacOS using "Time Machine": Apple: Time Machine Backups
The University of Cologne also offers the use of TSM as a backup system for advances users.
7.) Treat sensitive data responsibly!
Save data on trustworthy drives such as SoFS or internal network storages only. Be cautious when choosing storages for your data and its backups — sensitive data does not belong on third-party storage options such as Dropbox.
If you are unsure which data should be saved where, please do not hesitate to reach out to the RRZK help desk to address your questions or be redirected to the appropriate point of contact.
Never share information thoughtlessly with third parties. When discussing sensitive or business-related matters, always make sure to ask yourself which information and how much information is appropriate to share. This applies to all kinds of information regardless of its source or the medium of communication.
A responsible treatment of the data entrusted to you also includes the ability to delete data correctly, comprehensively, and irretrievably. You can find an introductory guide for this here.
8.) Be wary of Phishing and Spam
Phishing attempts and spam e-mails have existed ever since communication went digital. The number of phishing attempts has evidently and considerably risen worldwide in recent months and years. Our university is no exception here.
Be careful and stay calm if you should ever receive an e-mail that tries to extort money from you, threatens an account ban unless you log in to your account on a certain website, or puts you under any other kind of pressure. Phishing e-mails will also ask you to use sensitive login data on external or faked websites.
Make sure to check the sender, e-mail address, and the website you are being redirected to very carefully.
Never enter any sensitive account data on any website that looks even the slightest bit suspicious.
When in doubt, please always consult the RRZK help desk to discuss your concerns and find out if any kind of action on your part is required.
There is a host of information on spam and phishing available on external websites, e.g. from Cisco here.
Please also be wary of Spear Phishing, as this is a highly targeted and well-disguised kind of phishing attempts.
For more information on spear fishing, you may also want to read through this article on CSO Online.
By the way: Forging e-mails is as easy as sending a postcard under a false name. If you are not sure whether an e-mail you received was sent from the person named as the sender, check back with that person using a method of contact that you know is only accessible by that person. A quick phone call can often clarify the situation and prevent harm.
9.) Business / Private / Administration: Use separate accounts whenever possible!
Separating your business from your private life is always a good idea, and that is true for IT maters as well. Create different account for different purposes so that your data and your software can be used separately to avoid putting a lot of information and data at risk at the same time.
It is also advisable to use a local user account on your device.
This has been the standard for MacOS and Linux systems for some years now, but it will have to be set up separately if you use Windows 10:
10.) Ask questions and keep yourself informed!
If you are unsure whether cryptic error messages or suspicious messages are legitimate, do not hesitate to reach out to the appropriate support services. For the University of Cologne, the RRZK help desk can answer most of your questions or redirect you to the appropriate service or point of contact.
Large-scale phishing attempts at our university are also warned of on the RRZK website. This can be a useful resource for surveying the general situation if e.g. you receive a suspicious e-mail.
Most importantly: Keep calm, and do not let yourself be put under any kind of pressure.
Situations of mental pressure make it harder to judge the overall setting and may lead to significant misjudgments.
Do not be afraid to ask too much if you are ever in doubt regarding issues of information security.
If you have any questions or problems, please contact the RRZK-Helpdesk