Digital license 'Employee'

Digital license 'Employee'

Welcome

About this course

SURF (ICT cooperative for education and research, surf.nl) has developed a series of online modules for students and employees of educational institutions (MBO, HBO, WO) under the title 'Digital license - Privacy & Security'. The purpose of these modules is to provide specific target groups such as students, HR staff, researchers and desk employees with all the necessary knowledge and skills regarding privacy and security.

The 'Privacy & Security for employees' module is specifically intended for employees.

Introduction

 


WELCOME TO THE MODULE
‘PRIVACY & SECURITY - FOR EMPLOYEES’

Indeed, welcome! You are about to embark on an interesting journey. A journey through the world of privacy and security. While that might not yet sound very exciting, pay close attention, because this module is not about all kinds of rules and protocols, but rather a procedure which will enable you to deal with information as securely as possible. It is about information which is valuable, such as your own personal data, the personal data of your colleagues and essentially all information which we as an education institution must properly protect.

You are confronted with all kinds of information in your work. Personal data, research reports, financial reports, sensitive policy information and photos and video clips. There are five principles which apply to the handling of that information. You will learn those principles in this online module.

And why is a group of people pictured in the opening photo of this module, if it is about digital and other kinds of information? Exactly! Because this module actually relates specifically to people. So it relates to you and the way in which you, your colleagues and all students deal with information. This is because human beings are both the weakest and the strongest link in this area...

 

Goal of this module

After completing this module, you will know:

  • what the five guiding principles are for guaranteeing that privacy and security are dealt with appropriately,
  • how you can apply the principles together with your colleagues in a concrete manner in practice,
  • who you can contact if you run into problems, or if you simply have questions about privacy or the protection of information.

 

Structure of this module

This module consists of five chapters: we will cover one principle in each chapter. The five principles we will encounter are:

  • Principle 1: Only use the ICT facilities provided by your employer for your work
  • Principle 2: Make sure you always know who you are dealing with
  • Principle 3: Work securely and reliably, at all times and everywhere
  • Principle 4: Only allow the right people access to the right data
  • Principle 5: Help each other on the path to the right behaviour

Each chapter is structured in the same manner, so that you can easily find your way around it. In each chapter, you will complete these steps:

  • Stap 1: a concise summary of the principle
  • Stap 2: a brief quiz, with which you can find out what you already know about the principle
  • Stap 3: an explanation of the key terms which play a role in the principle
  • Stap 4: an overview of the most important do's and don'ts from three practical scenarios
  • Stap 5: a challenge you can carry out with your colleagues to test the degree to which you have already mastered this principle

 

Duration of this module

It takes approximately 90 minutes to complete this module.

 

Questions?

If you have any questions while you are doing or after completing this module, please contact [contact details].

We wish you the best of luck with this module!

Principle #1: Only use the ICT facilities provided by your employer for your work

Summary

Reading time
2 minutes

Summary
In this module, we will draw your attention to the importance of using the ICT facilities offered by your education institute as much as possible. By using the appropriate hardware and software, we can better protect our sensitive data, such as personal data, and guarantee the greatest possible security.

Education institutions never stop moving. Having the room to innovate is one of the basic needs for our survival. If you want to use a new software or hardware application, we will consider together whether that is possible. Perhaps there exist possibilities within the current ICT landscape for achieving your goals or supporting your daily work. Or perhaps it will, in fact, prove necessary to obtain new technology for this. In that case, it is essential that we travel down the appropriate road together to ensure that the licences are concluded in the proper manner and (if personal data is processed by the application) that there is a processing agreement with the supplier.

You may under certain conditions also use your personal equipment for your business activities. However, we strongly advise against synchronising your business cloud services with your personal equipment, for example, to prevent the proliferation of files. If you always work on the cloud, then using your personal equipment need not necessarily be a problem.

We will also discuss the use of social media, such as Facebook, WhatsApp and YouTube in this module. It is not possible to enter into a processing agreement with these organisations for maintaining control over the use of personal data. In fact, under the licence agreement you conclude with these organisations when creating an account, they are permitted to use all content you post on their platform. It is therefore difficult to withdraw consent which was granted previously for the use of personal data, when that personal data is already scattered all over the platform.

In short: as long as you stick to the range of ICT facilities already offered to you now, you can ensure maximum guarantees for privacy and security. However, if you are looking to innovate, there is sufficient scope for doing so, as long as this takes place in close consultation with the appropriate departments in our organisation: information concerning the way in which you should do this can be found on the relevant pages throughout this module.

We will begin each module with a short quiz so you can find out what you already know about the various subjects. Good luck with this first module!

What do you already know?

Key terms

Reading time
8 minutes

What will you learn?
You will become familiar with several key terms in relation to the ICT facilities offered by your employer.

Summary
A processing agreement is always needed (in addition to a licence agreement) if you are going to work with new software in which personal data is processed. If you are going to post personal data yourself, for example on social media, be aware that, usually via the conditions you have agreed to, you are also giving the social media platform a ‘licence’ to use your content. But no matter which software or hardware you use, making sure you update all applications, encrypt your hard drive and your connection and practise good overall digital hygiene are still the most important steps you can take to guarantee the safe handling of privacy and security.

 

Personal data is worth money (in some cases, a lot)

Yes, even yours! A huge number of online platforms are now profiting off of your personal data. Even if you don't use a few of the popular social media platforms, they often still know a lot more about you than you might think:

The more detailed your profile is on a given platform, the better the advertisements displayed on your personal page can be tailored specifically to you. And those in turn generate more income for the platform.

To protect your personal data, we as an education institution conclude so-called processing agreements with our ICT suppliers. In this agreement, we lay down exactly what they are and above all are not allowed to do with our students’ and employees’ personal data. So it is a good idea to understand the importance of such an agreement in case you yourself want to use new software for your work.

Take a look at this example:

 

A lecturer hastily copies notes taken by a few Political Science students, including their first and last names, into a Google Doc and accidentally leaves the document settings on ‘public’. The education institution itself uses Microsoft 365, as a result of which no processing agreement with Google exists. Years later, the student (who has since graduated) is told that notes of theirs, which clearly reveal their political preference, can be found online. The lecturer who manages the Google account no longer works at the education institution, as a result of which the document cannot simply be removed, either.

 

This situation, which is a very unpleasant for the student, could have been avoided if the lecturer had made use of their own education institution's ICT applications. The same applies to the use of personal equipment; that can also go terribly wrong as illustrated by the example below...

 

For the sake of convenience, an employee of an education institution had synchronised her business OneDrive account with her personal laptop, in order to also be able to immediately edit all business files locally and offline on her own laptop. Following a journey by train, she found that her laptop had been stolen; the password protection on the laptop proved inadequate. A few days later, it emerged that various files containing personal data that were saved on the laptop had been published on the internet, resulting in considerable damage being suffered by all parties involved.

 

So you must always be extremely cautious about using software and/or hardware that is not part of the range of applications offered by your education institution!

Carefully read through the following information first in order to learn what the various terms mean. On the next page, you will find out what the most important do's and don'ts are when it comes to working within the parameters of the ICT facilities provided by your education institution.

 

What do you have to hide?

Nothing, right? So why would we worry about privacy? Good question. Perhaps this video clip can provide a preliminary answer:

Oops, so you actually do indeed have something you want to hide... Much of the information about people that is discussed in this video clip is referred to as ‘personal data’. Personal data includes all information which can be directly or indirectly traced back to you as a unique individual. And why is it important to know this? Because you can also do some very unpleasant things with other people's personal data.

Have a look:


Personal data

OK, so it's important to refrain from carelessly scattering your personal data all over the place. But what exactly is ‘personal data’ anyway? Basically, it is any data which on its own, or in combination with other personal data, can be traced back to you as a unique individual.

Do you remember the game ‘Who am I?’ on the right? In this game, you combine various kinds of personal data, so you can eventually guess the identity of the person concerned correctly. It works the same way with your own personal data. The mere fact that you have brown hair is not personal data, but it is considered personal data if you are the only person in your class with that colour hair. On its own, your first name is in many cases insufficient to be able to identify you, but it is enough if your last name and house number are also known.

Examples of personal data: your name, address/email address and place of residence. But also telephone numbers, bank account numbers, study results and postcodes together with house numbers are considered personal data.

Special categories of personal data

And yes, ‘special’ personal data exists, too! The law provides for additional protection of this special category of data; not a single organisation is allowed to retrieve this data about you, unless an exception applies under the law. One of these exceptions is ‘consent’: as soon as you give your consent for an organisation to save your special personal data, the organisation is legally permitted to do so.

Special categories of personal data concerns:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • health
  • sex life.

What now?

What use is all this information about personal data? Read the text from the Dutch Data Protection Authority below:

Every time you use personal data, that constitutes an infringement of the privacy of the people whose data you are using. You are therefore only permitted to use personal data if that is truly unavoidable, i.e. if you cannot fulfil your purpose without this data.


This means that if an organisation such as your education institution wants to use personal data, it must have a good reason for doing so. Such a reason is referred to as a ‘lawful basis’. There exist six different lawful bases on which you can legally use personal data, for example if someone has given you their consent, if there is a legal obligation to do so or if the personal data is necessary for the performance of a contract (e.g. an employment contract).

The legal rules regarding the use of personal data are laid down in the General Data Protection Regulation (GDPR). The essence of this is:

  • There is a purpose and a lawful basis for processing personal data.
  • No more data is collected than necessary for the relevant purpose.
  • Data is removed as soon as it is no longer necessary for the relevant purpose.
  • The rights of the data subjects are respected (including the provision of information about what will be done with their data).
  • Processing is carried out in a secure manner and if other parties are involved, agreements must be made concerning the use of the personal data (the processing agreement).

Processing agreement

An employee or student shares a few pieces of their personal data with the education institution. The education institution proceeds to use some of this personal data in order to be able to offer certain services, teach lessons or satisfy certain legal obligations. The personal data which the education institution shares with external parties does not fall under the agreements you reached with the education institution. For this purpose, the education institution will have to enter into a new agreement with the external party (the ‘processor’ of your personal data). This is referred to as a processing agreement and it is mandatory for both the education institution and for the external processor of the personal data.

Want to learn more about what exactly a processing agreement is? Watch the video clip at hulpbijprivacy.nl, read about it on the website of the Dutch Data Protection Authority or check the page [insert page url] of our intranet.

Licensing rights

A licence is also referred to as a right of use. The conditions under which a licence (and thus the right of use) is granted, are always stated in the licence agreement. You would enter into a licence agreement for example if you were going to use new software (everyone is familiar with the ‘I agree to the licence agreement’ box, but who actually reads this text...?), but it could actually concern the use of any type of content, digital or analogue, including photos and video clips. If you want to make use of new software at our education institution, then you must always request permission for this first via [contact details of relevant department].

When you decide to use social media such as Facebook and WhatsApp, you must also agree to their general terms and conditions. You agree to this straightaway; you cannot negotiate the terms with these parties. In many cases this will also involve giving the social media platform a ‘licence’, i.e. a right of use, that allows it to use your photos and video clips, for instance. This does not mean the platform becomes the owner of the content (you yourself remain the owner), but under the agreement others are allowed, for example, to share your photos and video clips. As such, it would be very difficult to have all content you ever posted on the platform fully removed, should you ever decide that you want that done.

 

Do you have any questions about any of these topics? Then you can always contact [contact information ICT / Helpdesk]. Thank you for your cooperation!

What are the risks and how can you avoid them?

Reading time
11 minutes

What will you learn?
In this component, you will become familiar with all of the actions which will enable you to make as much use as possible of the ICT facilities offered by your employer.

Summary
The education institution you work for supports you in your work by providing both hardware and software. Most of the time, these resources should be sufficient for performing your work. However, it can happen that employees wish to use additional software and/or hardware. Keep in mind that for new software, in addition to a licence agreement, you may also need a processing agreement and that if you use your own hardware that you must take security measures, such as encryption. And with a view to security, lending your equipment to others, even to friends or acquaintances, is not a good idea.


The ICT facilities offered by your employer

Everyone tries to do their work in the best way possible. Some people need two laptops, while others require a special software program and still others will perhaps only require a mobile telephone. There was a time when you hardly had to think about this – those were the days...

Now, 30 years on, we have seen how rapidly the developments have occurred. A mobile telephone and a laptop are standard equipment for most employees and students. But what risks are involved in expanding the standard set of ICT facilities offered by your employer to include your own hardware and software? Can you imagine what the most important do's and don'ts are for each subject?

 

Using software of your own choosing

We've all been there: you want to quickly organise something for work or you have a nice idea for a new working format with students, for instance. But you do not succeed in achieving your goal using the programs on your laptop. So what do you do? You quickly start Googling to see if a solution exists. And sure enough, a website you had never heard of offers exactly the right little program!

Fortunately, it is hardly ever necessary anymore these days to download programs, because then you always run up against the restrictions imposed by systems administration. On the website you found, all you have to do is create an account and agree to the terms and conditions. After that, you can get started right away. You are willing to accept the fact that the students must also create an account. After all, they will get a lot in return. Right..?

What do you think are the four key items for consideration when it comes to using software that is not part of the standard range offered by the education institution?


1. Personal data? Then a licence alone is not enough

Will personal data be processed in the new software you want to use? Then you will need a processing agreement in addition to a licence to the software. If the software does not make use of personal data, then a processing agreement is not necessary. If the new software is just a program that carries out calculations locally on your computer without processing any personal data, for instance, then having a licence to the software is sufficient.


2. Need a processing agreement, as well? Arrange it together with the licence agreement

Want to use new software in which personal data is processed? Then you must conclude a processing agreement immediately when entering into the licence agreement. Make sure the Procurement department is immediately involved in monitoring this process and arranges for the licences/agreements on your behalf. If you take out a licence first and you want to conclude a processing agreement later, then not only will personal data have probably already been used in the application, but you will also be in a bad negotiating position to properly arrange for the processing agreement.


3. Both at home and at work

More and more software runs on the cloud and is thus unmanaged; the software runs on the servers of the provider itself, so that you as an organisation do not have to think about it anymore. While that is definitely convenient, it also means that you have direct access to the software both from home and at work. As a result, your passwords and all kinds of trackers which may be used by the software are stored on both your personal and your business equipment, which brings with it the risk that malicious parties may be able to access your business data in that specific application via your personal equipment, too.


4. Who is the product?

Is the application you want to use free? If so, there's a good chance that you are the ‘product’. For example, the information you post about yourself on a social media application may be interesting to advertisers. They pay the social media platform to obtain access to your data. With every free application, you should carefully consider who or what the product really is, so you can make a well-considered decision about whether or not you actually want to use the application.

The use of personal equipment

You probably use equipment you yourself own, such as a telephone, tablet or laptop, from time to time for business purposes. That's understandable, because working on the cloud means you can actually work anytime and anywhere. In itself, there's nothing wrong with that, provided that you ensure your personal equipment is properly protected.

Because under the ‘right’ circumstances, a malicious person can also easily gain access to your business files and applications via your personal equipment. And that can be just as (if not more) damaging for the organisation as if someone hacks into your business equipment. So it is extremely important to have a good understanding of how you must handle your personal equipment if you also use it for business purposes.

What do you think the three most important items for consideration are when it comes to using personal equipment?

 

1. Do not synchronise

If you use a personal device, make sure you always work on the cloud. Do not copy any business files to your personal equipment and do not synchronise any cloud services (e.g. OneDrive) with your personal laptop, telephone or tablet. That way, you can prevent files ending up on equipment other than your business hardware.


2. Passwords

Do not save passwords for business applications in the browser on your personal equipment. Doing so will mean that anyone who has access to your personal equipment will also immediately be able to access your business applications, and thus may also be able to gain access to your business files and communication.


3. Digital hygiene

If you still want to use your personal equipment, ensure you practise good digital hygiene when doing so. Encrypt your hard drive, make sure all applications and operating systems are up to date, use a password manager and always work on the cloud when using your business applications on your personal equipment.

 

Social media use

A simple rule actually applies when it comes to using social media (with which no processing agreement exists) in your business activities: avoid it. This does not even only concern the popular social media such as WhatsApp, Facebook and Instagram, but all applications whereby employees and students are connected with each other online and exchange data without agreements having been reached with that application concerning the processing of the data.

Does that mean that all applications are forbidden? Not at all. At the education institution, we make use of the application [fill in name of application] which enables employees to maintain contact with each other and to share files, among other things. We use [fill in name of application] for the communication and file sharing between students. These applications can be used safely: if you still want to make use of another application with which no processing agreement exists, you must always contact [fill in name of contact person/information manager] first.

What do you think the four most important items for consideration are when it comes to using social media?

 

1. Consent alone is not enough

According to the privacy legislation, if someone gives their consent for the use of personal data in a social media application such as Facebook or WhatsApp that means that they must also be able to withdraw it. However, when accepting the terms and conditions of Facebook or YouTube, for instance, the user transfers the licensing rights to any images and video clips they post within the application to Facebook or YouTube.

That means that Facebook, WhatsApp or YouTube can use all photos and video clips posted by the user on their platforms for other purposes, too. The tourist who suddenly spotted her Facebook profile photo in a Facebook advertisement hanging in a Japanese bus shelter is a well-known example of this. So if you withdraw your consent, that does not mean that all content is then removed from the platform: that content simply remains available to the social media platform itself under the licensing rights.


2. Students have a right to a secure learning environment, including online

Making mistakes is part of the learning process. Inside a closed online environment offered by the education institution itself and with which a processing agreement exists, you can guarantee the security; in principle, none of the student's work is shared publicly outside of this platform.

But let's say the lecturer asks students to do an assignment for a lecture on a public blog platform; in that case, the student's work will be available outside of the education institution's platform. And, as such, it can potentially also be found by future employers and business contacts. A student (and also an employee) has a right to a secure, closed online working and learning environment where mistakes can be made and in which is not possible – either now or in future – for external parties to access the data.


3. Always offer an alternative

It is not forbidden to use social media. If you as a lecturer just want to inform your students of certain organisational changes (i.e. not personal data), then that can in principle be done via a Facebook group. However, you are also required to offer an alternative for students who do not have a Facebook account or who do not want to be part of the Facebook group. Students must be able to find all available information about their study programme using only the software offered by the education institution.


4. Take hierarchical relationships into account

Suppose you are a manager and you ask all your employees whether they would like to temporarily become members of a WhatsApp group in order to be able to make preparations for a colleague’s birthday celebration in secret. Do you think an employee who does not want to be part of this would dare say no? Is the consent to be given then truly voluntary? And would that one colleague who only works two days per week dare go against a group of full-time employees if a social Facebook group is created for the entire department? Or let's say one student from a tutorial is the only one who does not want to take part in an assignment on a popular new chat app. Would they dare refuse?

Always take any hierarchical relationships into consideration when asking others to make use of certain social media! Consent must be able to be freely given. In a hierarchical relationship (e.g. a relationship between an employee and a manager or a student and a lecturer), this is often not the case for the subordinate individual because they are more likely to feel obliged to give their consent.

 

All information about the handling of information at our school is laid down in the 'Information Security Policy'. You can download and view this document via the button below:

Read everything about our 'Information Security Policy'

Challenge & further assistance

Let's get to work!

You should now be aware of the most important do's and don'ts you must keep at the back of your mind if you want to make use of software or equipment that is not part of the range offered by your education institution. Now it's time to test how well you can put this into practice!

On this page, you will find a fun and education ‘challenge’ you and your colleagues can do together. With this challenge, you will gain insight into the applications you use which are not part of the standard range, enabling you to start a discussion with each other about the desirability of using certain applications in your team or department.

Good luck!

 

Challenge: What kind of user are you?

Goal: based on the insights you have gained into the applications used in a team/department (which are not part of the standard range), determine in consultation which applications are desirable and/or strictly necessary.

Participants: it is recommended that you only do this challenge with a team of employees, for which it is actually relevant that the members of the team or department will use the same software.

Execution: In this challenge, you will work on determining within one week which applications the members of a team or department will use. As soon as insight has been gained, you can decide in consultation which applications your team wants to/does not want to keep and for which desired functionalities software is probably already offered by the education institution.

To carry out this challenge, you should complete the following steps:

  1. Print out an Excel worksheet with three columns: the first for the name of a colleague, the second with the title ‘Application’ and the third with the title ‘Goal’. In this worksheet, employees can enter an application they have used in each cell of their own column and in the adjacent column, ‘Goal’, indicate for what purpose they use this application.
     
  2. Communicate the rules to all participating employees:

- For one week, we will look at which applications all of us use and for what purpose we use those applications.

- An enlarged Excel worksheet has been printed out and posted at [insert location] where everyone can easily find it.

- Before each lunch and before the end of each working day, write down your name, the software applications you have just used and for what purpose you used them on his worksheet. Also write down all websites you have used and for which ones you need an account in order to use them.

- At the end of the week, we will discuss the results with the entire group. At such time, we will look at which applications have been used which are not part of the standard range (and with which of these we may have to enter into licence or processing agreements should these applications prove strictly necessary), which applications from the standard range we can probably also use for this purpose and which of the applications from the standard range we have not used at all.

- Based on this overview, we can then get into a discussion with our colleagues from [insert name of department] to consider how we can organise the range of applications as effectively as possible for our work.

  1. Agree a start date and let the challenge begin!

 

Below you will find a handy list of all quick wins in relation to the principle 'Only use the ICT facilities provided by your employer for your work':


Processing agreement: remember that, if you want to make use of new software in which personal data will be processed, a processing agreement is always required.


Licence agreement: remember that you must request a licence agreement and a processing agreement via the [add contact details of department] so that they can conclude these at the same time.


Licensing rights: keep in mind that if you are going to make frequent use of social media, you are granting them the right to make use of all content you post on the platform.


Encryption software: we use the encryption software [add name of software] at our education institution. You can download and install this software for free via [add software location]. Installation instructions can be found at [add location of instructions].


Strong passwords: for each application, make sure you use long passwords that include many different symbols. You can use a password manager for this; at our education institution we use the software [add name of software]. You can download and install this software for free via [add software location]. Installation instructions can be found at [add location of instructions].


Any other questions? If you have any other questions about using the ICT facilities offered by our education institution, please contact [add contact details].

Principle #2: Make sure you always know who you are dealing with

Summary

Reading time
3 minutes


Summary
This module is about social engineering, a collective term for all of the ways in which malicious parties try both online and offline to steal information from you which you normally would not hand over to others. This includes passwords, access codes and files, as well as information related to your connection and finances. Malicious parties ‘engineer’ themselves socially, which simply means that they pose as something or someone else.

The simplest example is the online contest of which everyone has been the winner at one time or another. You were the millionth visitor to a website, you just received the highest score on that ridiculously easy online quiz, etc. A link immediately appears on your screen which you must click on within one minute in order to claim your special prize. And before you know it, you are on a fraudulent website, filling in your email address, bank details, etc...

With social engineering, human beings themselves are the weakest link. As long as there are circumstances under which we will still give others access to our details (whether intentionally or not), no security feature will ever be able to protect us. 

Social engineering happens in all kinds of ways, ranging from a Microsoft ‘employee’ who tries to gain access to your computer by telephone or a malicious party who recovers sensitive information from the office rubbish bin to CEO fraud, a type of email scam whereby the victims are fooled into transferring large sums of money to the cybercriminal.

So both offline and online forms of social engineering exist. The online forms are referred to as ‘phishing’, which can be subdivided into three different types:

1. ‘Normal’ phishing, whereby many people receive fake messages via email, WhatsApp or text message at the same time.
2. Spear phishing, whereby a highly personalised fake message is sent to a specific person or business. 
3. Whaling, a type of cyberattack targeting high-ranking individuals in an organisation, in particular.

In order to recognise such messages, you must always start by asking yourself whether you trust the message at all. Is the sender peculiar, were you surprised to receive such a message in the first place, does it contain a lot of grammatical or spelling errors or does the message suddenly and unexpectedly put you under considerable pressure? If so, then that is an immediate red flag. In this module, we will give you the concrete tools that will enable you to check relatively easily whether a message is legitimate or fraudulent. 

But beware: social engineering occurs offline, too. At open education institutions, in particular, anyone can easily enter the building. Has the door been left unlocked, is the cupboard open, has the whiteboard been left unerased or did you simply allow the cute electrician into your room without asking for a valid form of ID? Then the consequences can be just as unpleasant for you and the organisation as if you fall victim to a digital phishing attack.

This does not mean you should now automatically mistrust everything and everyone around you. You should, however, always pay attention to where a message has come from. You are better off taking action in the form of more frequently double-checking a message or a messenger, than proceeding to click on that one particular link...

We will begin each module with a short quiz so you can find out what you already know about the various subjects.

 

Good luck with this second module!

What do you already know?

Key terms

Reading time 
10 minutes

What will you learn?
You will learn several important terms concerning the ways in which malicious parties try to steal your data or that of your organisation.

Summary
Social engineering is the collective term for all of the various methods by which malicious parties impersonate someone else both online and offline, with the aim of obtaining access to data, hacking into an account and stealing money or data, for example. In so doing, they target the weakest link in the security chain: human beings.

The online forms of social engineering are referred to as ‘phishing’, which can be subdivided into three different forms: large-scale attacks (phishing), attacks targeting a specific person (spear phishing) or attacks aimed at high-ranking members of an organisation (whaling). Many of these types of attacks can be prevented by taking a critical look at the sender, the use of language, links and the person behind the apparent sender in each message or request received. If things still go awry, you must inform the [insert department] of this immediately.

A game of cat and mouse

The world of hacking, phishing and whaling, often involves a game of cat and mouse. Security companies try to filter out fraudulent messages as much as possible and employees are on the alert to quickly identify attempts to steal data. And, at the same time, malicious parties keep trying to find new ways to get hold of business information. Take a look at this fine example of how online fraud works...
 

With ‘social engineering’, i.e. impersonating someone else, malicious parities try to infiltrate company systems in all sorts of different ways. No matter how strong our passwords are or how many files or data carriers we encrypt; we as human beings are the most vulnerable link across this entire chain.

It is a technique whereby hackers try to persuade you to give up data you would normally keep to yourself. It may also be that the person does not wish to target you directly, but wants to use you to further penetrate the organisation. So don't think: what use am I to them in this organisation? You could easily be a stepping stone on the way to gaining access to the entire email server of the organisation, as a result of malicious parties having been able to install a keylogger on your computer.

If we give away our password on a dubious website or accidentally open a file containing malware, there's not a single digital security feature out there that can protect us. These days, social engineering happens primarily via digital routes, such as text messages and emails containing questionable links and requests from ‘banks’ and ‘government agencies’. But this can also be done quite effectively with the more old-fashioned methods:
 

Someone who claims to be a construction company employee wearing construction attire enters a public education institution and follows the signs to the boardroom. He brazenly enters the boardroom, where he politely explains that he quickly needs to check the power supply. Caught off guard, the director lets the man through, but does not notice that he is secretly inserting a small USB stick into the director's computer, with which he will later gain access to all of the management board's data flows.

 

In this way, all of an organisation's data can become exposed and accessible to malicious parties within just a few minutes. In this module, we will get to work on the principle ‘Make sure you always know who you are dealing with’, as it applies to both the online and offline world. By carrying out a few simple checks of all incoming communication, you can easily prevent a lot of damage to both yourself and the organisation.

 

Read carefully what the different terms mean. Below you will discover the most important do's and don'ts regarding phishing, spear phishing and whaling.

 

 

Phishing

What is it?

Suppose you receive an official email from your bank, politely requesting that you click on a link and fill in your account number and password for verification purposes.

Of course you’ll do that, why wouldn't you? However, a short while later, it emerges that malicious parties have taken full control of your card and bank account. Ugh... Just take a look at how big these criminal 'phishing' organisations already are, as you can see below:
 


The term ‘phishing’ comes from ‘fishing’. Malicious parties request data about your bank, passport or driving licence via fake emails or text messages. They use this data to steal money or your identity from you. URL spoofing is often used in phishing scams. This refers to the practice of posing as the URL of a particular website, such as a bank, as a result of which the user thinks they are dealing with the real site, whereas the URL refers to the site of the malicious party.

How can you spot phishing?

Use your common sense. A bank would NEVER ask you via text message to fill in your password and/or citizen service number somewhere! The following are a few tell-tale signs which suggest that you might be dealing with a phishing attempt:

  • The message is not directed at your personally, but begins with ‘Dear Client’, for instance
  • The message contains grammatical and spelling errors
  • Often, you will be asked to ‘verify your account’: a bank or education institution would never do this
  • The threat is made that you will suffer certain consequences if you do not immediately obey the message.
  • There are subtle differences (e.g. a different extension) between the link in the message and the correct link.

Use the checklist on this website to quickly determine whether a message is real or fake by answering a few simple questions.

So phishing concerns online forms of social engineering. But social engineering occurs offline, too. ‘Dumpster diving’, whereby malicious parties go through an organisation's rubbish in search of sensitive or personal data, is a well-known example of this. They may be able to use that data to pose as one of the organisation's employees or even to obtain online access to the organisation's networks. So you should always be really careful what you throw in the rubbish bin...

 

Spear phishing

What is it?

Spear phishing is a form of ‘phishing’, whereby malicious parties approach a particular individual within an organisation. As such, spear phishing is usually more difficult to recognise than ‘regular’ phishing attempts, since the message is often quite personal.

If you suspect spear phishing, it is always prudent to ask yourself whether or not you would expect to receive that particular message. For example, if you aren't expecting a delivery from DHL, then it doesn't make much sense to receive an email from them with a track & trace code in it. Strange requests from your manager, for instance, addressed to you in particular, are also a red flag.

If you suspect spear phishing, do not try and verify the sender via email, as it is very likely that your email will just be received by the malicious parties themselves. If you doubt the authenticity of a particular request, you should always phone the sender. That way you will quickly know for sure whether you are dealing with a real or fraudulent message.

 

Whaling

What is it?

Whaling is a specific form of phishing whereby malicious parties target high-ranking employees in an organisation, such as the director, financial director or an HR director who has access to personal data. A well-known example of this is CEO fraud, whereby malicious parties usually use email spoofing to persuade a CEO to approve large mala fide transactions, for example (‘spoofing’ refers to the forging of emails with a false sender address, as a result of which the email appears to come from a known address, such as that of a colleague).

 

Do you have any questions about any of these topics? Then you can always contact [contact information ICT / Helpdesk]. Thank you for your cooperation!

What are the risks and how can you avoid them?

Reading time
12 minutes

What will you learn?
In this component you will become familiar with all actions you can take to always know as far as possible who you are dealing with both online and offline, in order to know for certain that you are sharing data, entering into a contract or are involved in a business transaction of any other form with the right person.

Summary
Social engineering exists in various shapes and sizes. The most well-known forms are phishing, spear phishing and whaling. The techniques used for these have become so difficult to distinguish from the real thing that many organisations have been cheated out of large sums of money as a result of these methods.

In addition to doing the usual checks such as ‘would my bank really ask me to renew my debit card via text message?’ the best way to verify the authenticity of a message is usually to simply phone the person from whom you received the message. And if things still go wrong at some point in time, it is very important to report this immediately to [insert name/person's contact details/department].

It can happen anywhere...

Have you ever stopped to think how much there actually is to steal from you and where this could happen to you? Your workplace is not the only place where malicious parties can make off with your data, or through you, the data of others, if you are not careful. Have a look just how long an identity theft can go on...
 


Does this mean you can no longer trust anyone? Of course you can! Nearly all of your communication with internal and external individuals and organisations is reliable. It's just that if you ever let down your guard, even if only for a moment, it can have very unpleasant consequences. That is why we are going to discuss the following key methods for protecting yourself, your colleagues and the education institution as well as possible against this type of fraud.

Can you guess for each type of fraud what those methods are?

 

Phishing

When we hear the word phishing, it often brings to mind the weird emails or text messages everyone receives once in a while – the kind that are not very well written and include a link referring to a strange URL and vague logos. Those are clearly not to be trusted. But these days many phishing messages are quite sophisticated and difficult to distinguish from the real thing. It requires that you, a human being, have a very critical mindset about all communication that comes your way.

Since phishing exists in an endless number of different forms, it would be difficult to discuss them all in detail here. We therefore look for general principles with which you can recognise phishing and simple ways to check whether or not the messages are real. And, of course, we tell you what you must do if things go wrong anyway.

Want to take a test first to find out how well you can recognise phishing attempts? Do this Google phishing test.

What do you think are four most important methods for recognising phishing attempts?

 

1. Do you trust it?

While it may sound silly, this is usually the best indicator of whether or not a message truly originated from sender it appears to originate from. Think logically: would a bank approach you via text message? Would a government institution send you an email without a personal salutation? Does a technician often just walk around in your room without identification? Listen to your common sense and always ask yourself critically whether you can trust the message.


2. Watch what you click on

Every day we click on hundreds of links, buttons, attachments and images of various kinds. You almost never really consider carefully whether the link you are clicking on will actually bring you to the right location. And that is probably for the best – otherwise surfing the internet would be highly impractical. But if you don't totally trust a message, then you can just hover over it with your mouse to check the underlying address. If the link goes to abnamro.info, facebook.io, rijksoverheid.gz or another invalid website, then you know you don't need to bother with it.

You should also be careful with email attachments. Many email attachments contain malware, such as ransomware. Certain types of files are extra suspicious when sent as an attachment; these include files in .exe, .zip, .js and .doc format. Word documents are in themselves not harmful, unless the enable macros prompt appears after you open them. Definitely don't do that.

Unfortunately, Windows hides extensions such as .exe by default. You can enable these file extensions so you will be able to see what kind of file it concerns. To enable file extensions, press the Windows button plus ‘R’, type ‘control folders’ in the window and press ‘Enter’. Untick the option ‘Hide extensions for known file types’ in the ‘View’ tab.


3. Always check where the message came from

Always look closely at the sender of the message, such as the telephone number, email address or website. If these do not correspond with the details of the official sender, definitely don't click on the message. For example, you should not trust an email sent from info@rabobank.net, because you know that Rabobank's official domain is rabobank.nl, and not rabobank.net.


4. Social engineering exists offline, too

Social engineering techniques are not only used in emails and WhatsApp and text messages, but also in letters and telephone conversations, for instance. You could for example receive a telephone call from an ‘employee’ from the ‘Internet helpdesk’, who wants to help you with a ‘problem’ with your computer. Keep in mind that you can be confronted with social engineering attacks from all possible directions...

 

Spear phishing

Spear phishing is actually even scarier than ‘regular’ phishing. As you know, this does not concern the same ‘buckshot’ approach that regular phishing often does, but instead involves messages aimed at getting a particular employee or student to click on a link, for example. And this is not always because the employee himself has access to particularly sensitive information; the aim can also be to use that person to install malware on the business network, to get hold of data of high-ranking members of the organisation or to gain access to certain files.

Like regular phishing attacks, spear phishing attacks can be carried out in a variety of ways. For example, a father who creates a hotmail address using his daughter's name, in order to request the daughter's report card from her teacher. Or an email, which has supposedly been sent from a management board member's private email address, which arrives in your inbox and addresses you personally, is also an example of spear phishing!

What do you think are the two most important ways to deal appropriately with spear phishing?

 

1. Do not check the authenticity by replying to the email

Suppose you receive an email asking kind of a strange question, for instance, if you could quickly transfer a certain sum of money or forward certain sensitive information or for ‘temporary access to your account’. If you reply to this message in order to ask whether it was genuine, your email will be received by the fraudster, who would probably be more than happy to reassure you so you comply with their request...


2. Pick up the phone!

Don't totally trust a message addressed to you personally? Just phone the sender. Nobody will mind if you double check the message's authenticity; better safe than sorry. By phoning the sender, you will know for sure you've got the right person, who will be able to inform you quickly enough whether the message was legitimate.
 

Whaling

Any form of phishing can have a big impact, but whaling may well involve the biggest risks of all. The fact that the attacker often spends a long period of time building up a relationship with the high-ranking employee means that, if the attack is successful, the attacker can potentially inflict considerable damage on the organisation.

Whaling attacks can affect both the high-ranking employee and people lower down in the organisation. Both parties are often needed to carry out a financial transaction, send files to an external party or collect certain business information, for example. One of them grants permission, while the other performs the act. It is therefore a good idea for all employees in an organisation to be aware of the characteristics of a whaling attack.

What do you think are the four most important items for consideration with regard to a whaling attack?

 

1. A hierarchical relationship is always involved

Not all employees feel at ease calling a request from a higher-ranking person in an organisation into question. And precisely that is one of the pitfalls of whaling attacks. Due to the hierarchical relationship, there is the chance that the request will be granted more easily. So the same applies here, too: if you don't trust the request, particularly if it is financial in nature, always phone the person from whom the request originated (or have your manager do this).


2. Phoning instead of emailing

Just as with spear phishing: never send an email to the address the message originated from for the purpose of verifying the authenticity. If the address is fake, the email will end up right back in the attacker's inbox. Always use the telephone for checking requests.


3. Do not reply to private email addresses

If you receive a request from a manager or high-ranking individual in the organisation that originates from a private email address, do not reply to it. Anyone can create an arbitrary email address to lead you to believe the message comes from a real person. Only reply to requests that come from an email address from within the organisation and always check for email spoofing.


4. Check for email spoofing

In case of important or dubious requests, always check whether the email address where the request originated from is real. By spoofing email addresses, malicious parties can easily trick you into thinking that an email actually comes from a manager whereas in reality that is definitely not the case. Hover over the email address with your mouse to reveal the actual underlying email address or check this with the ICT department.

 

All information about the handling of information at our school is laid down in the 'Information Security Policy'. You can download and view this document via the button below:

Read everything about our 'Information Security Policy'

Challenge & further assistance

Let's get to work!

You are now familiar with the most important methods with which malicious parties try to infiltrate your organisation through the use of social engineering. Now it's time to test how well you can put this into practice!

On this page, you will find a fun and educational ‘challenge’ you and your colleagues can do together. With this challenge, you and your colleagues will gain insight into the degree of awareness about social engineering in your team/department, which can provide a useful starting point to have a discussion about this subject and perhaps to take additional security measures.

Good luck!

 

Challenge: What do you throw away?

Goal: to become aware of the degree to which others can easily find sensitive data such as personal data.

Participants: it is recommended that you only do this challenge with a limited number of employees, since all team members will eventually be allowed to view the contents of each other's ‘recycling bin’ and central rubbish bin. Sufficient trust must exist between team members to be able take on this challenge together.

Execution: In this challenge, you will work on discovering within one week how much personal information may be available to potential malicious parties via the physical rubbish bin.

To carry out this challenge, you should complete the following steps:

  1. Put together the team which will carry out this challenge, keeping in mind that participants will be allowed to view the contents of each other's rubbish bin after one week, as that is precisely what potential malicious parties who get hold of the waste/rubbish bin are able to do.
     
  2. Communicate the rules to all participating employees:

- For an entire week, we will see how much personal and sensitive information you all leave behind while working without necessarily being aware of it.

- Keep doing your work as far as possible as normal; in one week, you will hear what we are going do next.

  1. Without telling your fellow team members, as the team leader you will ensure someone collects the contents of the participants’ rubbish bins on a daily basis and stores these for each person at a secret location.
     
  2. At the end of the week, the team leader will collect all the rubbish from each of the participants and lay it out on the tables. Then, the participants will be allowed to come inside and each of them will choose a pile of rubbish. Not everyone, but only the manager will check the rubbish and speak about it in meta-terms. Definitely don't share any of the data you find.
     
  3. The participants will be given a set amount of time (e.g. 15 minutes) to go through a particular person's rubbish and collect as much sensitive information as possible. If possible, the information may immediately be used to log into a particular online application, and in so doing to demonstrate how something as simple as rubbish can lead to a considerable infringement and data breaches.
     
  4. The challenge will end with an evaluation discussion, in which the participants will share the information they found with each other and if possible will reach agreements for handling sensitive information more carefully, both online and offline.

 

All quick wins related to the principle 'Make sure you always know who you are dealing with' can be found in a handy list below:


Do you trust the message? This is the quickest check you can do; if you don't trust it, continue on with the following steps in order to verify whether the sender is legitimate. 


Did you expect to receive the message? If it does not make sense for the sender to send you the message (now), you should be extra vigilant.


Check the sender: By hovering over the link with your mouse, your browser will display the actual link to which the message refers. If the link is not right, definitely don't click on it.


Do not check the sender by replying to the email – phone:  them! Your reply will most likely be sent to the email address of the malicious party. Always verify the sender by telephone!


Private email addresses: Never reply to a colleague's private email address. Anyone can create every possible email address.


Phishing need not be digital: Social engineering attacks are also carried out by post, telephone or people who impersonate others. Be alert to any communication that seems suspicious.


Any other questions? If you have any other questions about phishing messages and what action you should take if you receive one, please contact [fill in contact details].

Principle #3: Work securely and reliably, at all times and everywhere

Summary

Reading time
2 minutes


Summary
This module is about working securely and reliably, when at work, on the road and at home. While it may seem like a no-brainer to do that at all times and everywhere, there are enough reasons to briefly focus on it.

How many people truly consider the risks of not locking their computer screen? Who really knows how childishly simple it is to see all of your internet traffic if you briefly make use of the public WiFi network on the train? Or if you email a file containing sensitive data without encrypting it? 

This module is definitely not intended to scare you. On the contrary, the goal of this module is to provide you with some concrete tools so you can reduce the risk of data breaches as much as possible. That can relate to both digital and analogue data (e.g. printed documents, whiteboards covered with notes and post-its).

And don't assume that hackers are not interested in your position and the data you work with. They are smart enough to infiltrate sensitive systems with the help of precisely those employees who are less prepared for this. And then the damage can be just as extensive.

In this module, we will discuss a few important terms related to working securely and reliably, such as encryption, VPN connections and shoulder surfing. For each of the possible locations you can work in (on site, on the road and at home), you will be given four concrete tools for working more securely. And you will also be offered the opportunity to do two fun challenges, with which you and your colleagues can immediately check in practice who best remembers the lessons learned in this module. 

But as in every module, we will begin with a short quiz so you can find out what you already know about the various subjects.

 

Good luck with this third module!

What do you already know?

Key terms

Reading time
10 minutes

What will you learn?
You will learn several key terms relating to working securely and reliably, both at home and at school.

Summary
Encrypting files, messages and your internet connection is an important step on the way towards working securely and reliably, at all times and everywhere. One of the ways you can do this is by encrypting your connection and hard drive, but also by using a VPN connection. The software required for both of these protection methods can be obtained from the ICT department.


How securely is your personal data protected?

Very securely, right? Well, not everyone's is actually... Have a look at how easy it is to discover large quantities of personal information about anyone within just a few minutes:
 

 

[alternative video clips which may be relevant to this: https://www.youtube.com/results?search_query=jake+vale+pranks+social+media]

If it is that easy for a coffeehouse worker to discover personal data how easy would that be for a malicious hacker? And how risky would it be if it not only concerned your personal data, but all of the personal data of employees and students, sensitive research data or our school's financial data?

While it seems logical to assume you probably cannot access sensitive data, or can only do so to a limited degree, just imagine the following steps:

  1. A hacker sends you an email which appears to come from one of your colleagues. This email contains a link.
     
  2. You click on the link, and in so doing, without you realising it, you give the hacker access to your email account.
     
  3. The hacker finds out from your account what the email addresses of the Accounting department and the head of Business Operations are.
     
  4. Using the head of Business Operation's email address, the hacker impersonates that person in communication with the Accounting department and thus succeeds in having a large sum of money transferred to their bank account.

Sound far-fetched? It happens, unfortunately ... each year, many organisations fall victim to this kind of fraud. A well-known example of this is CEO fraud, whereby employees believe they are receiving instructions from their manager via email, whereas these have actually come from a hacker using a hacked email account.

The good news? Most of these types of incidents can be prevented by ensuring you work securely and reliably, at all times and everywhere

 

Read carefully what the different terms mean. Below we will then help you to recognize different scenarios regarding working safe and reliable and to know how to act in such a scenario.

 

Encryption

History

Many popular applications, such as WhatsApp and Microsoft Teams transmit all messages in encrypted form. This means that these messages are useless to anyone who intercepts them, because a decryption key is required in order to read the message.

Encryption is a very old concept; it existed long before the arrival of the first computers. A 'Caesar's cipher' is an early example of encryption, which was named after the Roman emperor Julius Caesar. He replaced each letter of the alphabet with another letter in order to send secret messages to his generals.

Other well-known examples of encryption include the German Enigma and the Lorenz cipher machines, which enabled army units to communicate with each other. Whereas Julius Caesar only succeeded in achieving 25 possible combinations with his Caesar's cipher, 2000 years later, these machines were already capable of generating 16 quadrillion possible combinations!

 

State of affairs

Nowadays there exist many forms of encryption, made suitable for a wide variety of purposes. One well-known example is the message that appears on WhatsApp when you send a message to a new contact for the first time: ‘Messages to this chat and calls are now secured with end-to-end encryption’. That sounds good, but what exactly is end-to-end encryption?

The first online communication services did in fact encrypt the messages transmitted between the sender and the central server, but on the server itself, the messages could be read in unencrypted form. If you had access to the server, you could also access all of the messages. That is no longer the case: thanks to ‘end-to-end’ encryption, messages are encrypted from the moment they are sent until they reach their destination. So if you intercept a message, it is useless to you, unless you have the decryption key. Want to know exactly how it works? Watch the video clip below:


 

The next big step in the realm of encryption was the arrival of quantum computers. Whereas in modern computers, each bit can only contain a value of 0 or 1, the qubits in a quantum computer can also have a value of 0 and 1 at the same time. As a result, the number of calculations which can be carried out in parallel increases exponentially. This leads to a gigantic increase in the possibilities for encryption and for the decryption of that same encrypted data.

 

Encryption methodes

Encryption of your connection

Much of our work is done via internet these days. Each website (therefore also any cloud-based services you may use for storing your data) can choose to use a secured (encrypted) connection. This is indicated by the padlock icon next the website URL in your browser.

When a padlock icon appears next to the URL, that means that the website URL is preceded by ‘HTTPS://’. The ‘S’ in ‘HTTPS’ stands for 'secure’; this indicates that the website transmits all traffic in encrypted form. By clicking on the padlock icon, you can find further information about the website and check whether you are dealing with the right website.

But take care: malicious parties can of course also have a padlock icon added to their website. If you doubt the authenticity of a website, always also carefully check the URL itself, because no matter how many padlock icons there are on websites such as facebook.info or abnamro.net, these are definitely not the official websites!

 

File encryption

Suppose you have to send a file containing sensitive data to a colleague abroad. You could send the file via email, but then it will end up on your colleague's laptop in unencrypted form. If someone intercepts the file, they can easily read it. One solution for this is to encrypt individual files; this is easy to do using one of the following methods.

1. Send the file via the SURF service SURFfilesender [our school has a licence to this]. You can choose to encrypt files when sending these via SURFfilesender. More information about this possibility [can be found here].

2. The school itself offers the service [...], which allows you indicate per file whether you want to encrypt these before sending the email, for instance. More information about this possibility [can be found here]..

3. It is also possible to encrypt most types of files from the Office package, such as a Word or PowerPoint document, with a password. You can view the password encryption options by selecting ‘Info’ in the ‘File’ menu in these applications. Please note that you should never send this password in the same email as the file you want to send in encrypted form!


 

Encryption of your hard drive

It is even safer if you encrypt your entire hard drive. In this way, no one will be able to access your files without the special key. [If you use a school laptop, it is already encrypted as standard.] If you also use a personal device to do your work, we recommend that you encrypt that hard drive, as well; you should not notice any disadvantages in terms of speed of encrypting your hard drive.

Do you work on a Windows computer in your private life? Then we recommend you encrypt your hard drive with [Bitlocker]. Do you have a Mac? Then we recommend you use [Filevault].  [For more information about the steps to be followed, please contact the ICT/Helpdesk.]

Please note that if your computer is only protected with a password, that does not mean that your hard drive is encrypted! In that case, malicious parties can easily remove the hard drive from your computer, connect it to a computer for which they do know the password and in that way will still be able to read all the data on the hard drive. 

 

VPN

VPN stands for ‘virtual private network’ and it ensures the connection between your device and the internet is secure. Using a VPN connection has the following advantages:

Anonymity

  • it is harder for websites to save your location
  • it is harder for websites to track the websites you visit and the files you download
  • it is harder for social media websites to build up a personal profile for you.

Security

  • it is harder for malicious parties to eavesdrop on your internet traffic
  • a VPN connection makes it possible to use public WiFi networks safely
  • via a VPN connection, it is possible to work safely, including from home, in our internal systems.

Freedom

  • you can bypass censorship and government website blocks. The internet is censored in some countries. With a VPN, you can change your geographic location.
  • bypassing geographic blocks. Certain content can only be viewed in specific regions.

Watch the video clip below to find out exactly how a VPN connection works:


 

Therefore, a VPN connection ensures that all of your internet traffic is transmitted via an encrypted virtual tunnel. That means that, depending on your location, you can ‘pretend’ that you are in the Netherlands. That is useful, for instance if you sometimes have to work in countries where certain services are blocked. It also means you can safely log in to our internal services from anywhere in the world.

Some internal services are only accessible via a VPN connection. Those are [...].

We strongly advise against using public WiFi networks, since all of the internet traffic on those networks is unsecured. If you work a lot on the go, then we recommend you use your mobile hotspot, or if you want to connect with a public WiFi network to do so only via a VPN connection. Our school offers you the VPN software [name of application] for free. You can download and install it here [link]: [space for step-by-step plan / screencast with explanation of the steps to be followed].

NOTE: you are no longer able to gain access to one of the applications offered by the school, please contact [contact details of ICT/Helpdesk] immediately.

 

Do you have any questions about any of these topics? Then you can always contact [contact information ICT / Helpdesk]. Thank you for your cooperation!

What are the risks and how can you avoid them?

Reading time
13 minutes

What will you learn?
In this component you will become familiar with all actions you must take in order to be able to work securely and reliably at work, on the road and at home.

Summary
Working securely at work, on the road and at home requires above all that you learn to follow several standard routines. Locking your screen when leaving your computer, at all times and everywhere, and using a webcam cover and privacy film, being cautious about discussing business information when you are on the road and limiting synchronisation and other forms of data exchange between your business and personal equipment. By following these routines, you can substantially lower the risk of a data breach occurring at any given moment.


Working securely and reliably

Working securely and reliably, at all times and everywhere – it seems like such a no-brainer. Everyone wants that, right? Of course! But how do you achieve that? It is already pretty difficult to work from home and not  embarrass yourself...  
 

 

But it isn't 1986 anymore. In this day and age, we are connected and ‘synced’ 24/7. And that has its advantages, but also disadvantages and risks. And it's pretty easy to do something about those risks. Can you state what action can best be taken in each scenario?

 

Scenario: Working securely at work

It may sound ridiculous, but you must also work securely when in your own workplace. Not only for yourself, but also in order to guarantee the privacy of your colleagues and external parties. No matter how much you trust your colleagues and students, our school is and will remain an open institution. And within that context, we must strike a balance between open and safe.

It's not rocket science. By teaching yourself a few simple routines, you are almost guaranteed to work securely and reliably. And in so doing, you can minimize the risk of data breaches. That's reassuring, don't you think?

What do you think are the four most important actions you can take when it comes to ‘Working securely at work’?

 

1. Lock your screen if you will be away from your computer

It may seem insignificant, but if you fail to do this, it can have big consequences. Always lock your computer screen if you are going to be away from your computer, even if only for a minute. In this way, you will know for sure that no one can simply access your files and programs. Many laptops can easily be locked by briefly pressing the on/off button or closing the laptop.

On a (Windows) desktop computer, you just have to press the Windows logo key plus the ‘L’ key or Ctrl-Alt-Del-Enter at the same time. Always lock the door to your office space if you are the last one to leave the room. In this way, you can be sure that no malicious parties can access your computer, documents, cupboard or other location storing potentially sensitive information.


2. No one ever asks for your password

And if it does happen, you know that means trouble. So not even the ICT department of our school will ever ask for your password (they will NEVER do this!). If you receive an email, text message or other message asking you to share your password, for whatever reason, don't do it.


3. Webcam cover and privacy film

Two simple steps you can take to make sure that others (whether intentionally or not) cannot look at you or your computer screen. With the webcam cover, you can make sure that if someone takes over your webcam remotely, they cannot see what you are doing (e.g. to blackmail you later with the recordings). And privacy film ensures that the viewing angle from which others can look at your screen while you work is very narrow. You can collect both of these for free at [fill in location]. Definitely recommended.


4. Also be careful about all of your offline traces

In addition to digital information, you probably also produce a lot of offline information. The whiteboard covered with notes including with regard to the financial forecast for the coming year which has not been cleaned, the department facebook on the A4-size sheet of paper you accidentally leave behind on the printer or the post-it next to your computer with your password and login name on it. Keep in mind that this kind of information can be just as damaging as digital information if it falls into the wrong hands.

 

Scenario: Working securely on the road

There are situations in which it is almost unavoidable: you must send that one big attachment, so you quickly log in on the free WiFi-network! A few days later, you find out that there is malware on your laptop... Data you send without a VPN connection via an unsecured public WiFi network can be read and analysed by anyone. Watch this video clip to see how fast that can happen.

Usually it involves less harmful forms of data breaches. For example because that curious George sitting next you on the train is able to look at your screen while you work, or the person behind you on the bus is listening in on that juicy story you are telling about your colleague. If you work on the road, be very careful and cautious about discussing and showing information/business information.

What do you think are the four most important actions you can take when it comes to ‘Working securely at work’?


 1. Do not use public WiFi networks, unless...

All traffic transmitted via a public WiFi network can easily be read by others. You must therefore never (whether for business or personal purposes) use a public WiFi-network. The only exception to this rule is if you use a VPN connection. Then all of your internet traffic is encrypted and no one can simply read it.


2. Watch out for shoulder surfing

It's a great term, shoulder surfing. These are the situations in which you are standing on a crowded train or metro and you quickly send a business email from your telephone, while others can easily look over your shoulder. 99% of the time, that's not a problem, but you should try to eliminate all risks by taking care to ensure than no one can simply look at your screen while you are working. Using privacy film on your screen to significantly reduce the view angle is definitely recommended.


3. Watch out for eavesdroppers

Like shoulder surfing, eavesdropping frequently happens on public transport. Whether intentionally or not, people listen in on others’ conversations and there is always a risk that you will share sensitive information during such conversations. Always be aware of your surroundings and, as a general rule, never discuss sensitive information or information which is still under embargo when you are on the road. Unless you are travelling alone in your car of course...


4. Encrypt your hard drives

Make sure that, in addition to your business equipment, your personal equipment is encrypted if you use it for business purposes. The risk that your laptop, telephone or tablet will be stolen is low, but it does happen dozens of times a year. And if it happens, a strong password and two-factor-authentication alone will not be enough to protect your data, with all the associated consequences. A malicious party can, for example, easily remove your hard drive from your laptop and insert it into another computer; in this way, it is still possible to read all of your files.
 

Scenario: Working securely from home

Phew! Home at last. You know for sure you can trust everyone there. So you can also work in a relaxed manner and you don't have to take care to lock your laptop each time you get up. Right? Unfortunately, it is also extremely important to maintain the same standard of online hygiene when you are at home as at work and on the road. Not because you do not trust your housemates, but because, whether intentionally or not, something can easily go wrong.

How tempting is it to quickly give your children your business laptop so they can watch Netflix? But they will be able to access your files at the same time. How easy is it to sync your business files with your personal laptop? But now, everyone who has access to your personal laptop can suddenly access sensitive data. Or what if you are constantly syncing your personal desktop which has not had any updates in a while, with your business cloud storage? These are just of few of the many conceivable reasons why you should adhere to a few simple rules when at home, too.

What do you think are the four most important actions you can take when it comes to ‘Working securely at your work’?

 

 1. Update all your equipment!

This is RULE NUMBER 1. The simplest way to make life difficult for hackers and other malicious parties is to make sure all of your equipment is always running on the most recent operating system and that all of your programs are up to date. Hackers often make use of old security holes which have been closed with updates.

So if you don't run updates, your equipment will remain vulnerable to attacks. And that is particularly risky if you sync a business cloud service with a personal device running outdated software. In that way, malicious parties may be able to gain access to your device. Because these sync with a business service, this may also make it possible to gain access to the business service.


2. Do not drag files from business devices to personal devices

You may be tempted to quickly drag a few business files from your business laptop to your personal laptop so that you can easily work on them locally. However, this will mean that these business files will remain on your personal equipment and therefore may be able to be misused. If you want to work on business files on your personal equipment, always leave these in the relevant cloud services and only work on the files within that service.


3. Never lend your business equipment to anyone

Don't do it. Not even so they can play that fun game on your telephone. Or to let your housemates watch that film on Netflix because the battery on your personal laptop is dead. Because this gives those people access to all files, conversations and programs on your laptop, telephone or tablet, there is always the risk that, whether intentionally or not, something will go wrong. 


4. Always lock your screen

Even at home. What may seem like a joke for children (installing an app on mummy or daddy's computer) can have big consequences for you. Make sure both your business and personal equipment is always locked when you are away from your equipment.

 

All information about the handling of information at our school is laid down in the 'Information Security Policy'. You can download and view this document via the button below:

Read everything about our 'Information Security Policy'

Challenge & further assistance

Let's get to work!

You are now familiar with the most important steps you yourself can take to ensure that you can work securely and reliably, everywhere and at all times. Now it's time to test how well you can put this into practice!

On this page, you will find two fun and educational ‘challenges’ you and your colleagues can take on together. They will allow you to experience for yourself how well you already perform when it comes to certain aspects of working securely and reliably.

Good luck!

 

Challenge #1: Locking your computer screen

Goal: to learn that you must always lock your computer screen if you will be away from your computer.

Participants: there is no maximum number of participants for this challenge.

Execution: In this challenge, you and your colleagues will work on figuring out within one week how often certain colleagues fail to lock their computer screen before walking away from their computer. To carry out this challenge, you should complete the following steps:

  1. Create a silly email address (e.g. cake@[yourschool.nl]).
     
  2. Communicate the rules to all participating employees:

- For one week, we will look at how often our colleagues lock their computer screens (or fail to do so).

- If you see that a colleague's computer screen is not locked and the colleague is away from their computer, open the colleague's email inbox and send an email from it with the subject ‘Cake!’ to the colleague with the email address cake@[yourschool.nl] in CC.

- In this way, each time an email with the subject ‘Cake’ has been sent, both the colleague and the manager of the email address cake@[yourschool.nl] will see it. Because the colleague will also receive an email, they will immediately become aware of their own behaviour with respect to locking the computer screen.

- At the end of the week, the manager of the email address cake@[yourschool.nl] will print out all of the emails received. The ranking of colleagues in terms of who has locked their computer screen the most frequently and who has done so the least frequently can immediately be seen.

- The colleague from whose email inbox the most emails have been sent will treat everyone else to cake.

  1. Agree a start date and let the challenge begin!

 

 

Challenge #2: Getting hold of passwords

Goal: to become aware of how easily people may divulge privacy-sensitive data such as passwords both online and offline.

Participants: there is no maximum number of participants for this challenge.

Execution: In this challenge, you will get to work on determining within one week how quickly your colleagues will reveal one of their passwords. To carry out this challenge, you should complete the following steps:

  1. Make sure you only carry out this challenge with internal colleagues who definitely have access to the systems which are part of this challenge.
     
  2. Agree beforehand for which systems you will try to get hold of each other's passwords and communicate this clearly to each other.
     
  3. Communicate the rules to all participating employees:

- For an entire week, we will try to get hold of each other's passwords for one of the previously communicated systems.

- You can try to get hold of each other's passwords in various ways, but not by actually hacking into one of the computers of the participants with the help of software.

- Once you have got hold of a password, as proof, make a screenshot of the relevant application that clearly shows you have logged on to your colleague's account. Send this screen shot along with the corresponding explanation to [...@...]. If you have access to a colleague's password before the challenge starts, you can contribute that too. But in that case, too, you must inform your colleague immediately so that the password can be changed.

- Log off immediately, notify your colleague and ask them to change their password right away.

  1. At the end of the week, collect all of the results from the designated email inbox. The person who has succeeded in getting hold of the most passwords will win a pre-determined prize.
     

 

All quick wins related to the principle 'Work securely and reliably, at all times and everywhere' can be found in a handy list below:

 

Software is up to date: Make sure all software installed on your personal equipment is always up to date. Most operating systems and applications give you the option to enable automatic updates.


Webcam cover: You can pick up a free webcam cover for your webcams at [add contact details].


Privacy film: You can pick up free privacy film for your laptop screen at [add contact details].


Encryption software: We use the encryption software [add name of software] at our school. You can download and install this software for free via [add software location]. Installation instructions can be found at [add location of instructions].


Strong passwords: For each application, make sure you use long passwords that include many different symbols. You can use a password manager for this; at our school we use the software [add name of software]. You can download and install this software for free via [add software location]. Installation instructions can be found at [add location of instructions].


VPN software: we use the VPN software [add name of software] at our school. You can download and install this software for free via [add software location]. Installation instructions can be found at [add location of instructions].


Any other questions? If you have any other questions about working securely and reliably, either at our locations or at home, please contact [add contact details].

Principle #4: Only allow the right people access to the right data

Summary

Reading time
2 minutes

Summary
This module is about data breaches, a collective term referring to all situations in which personal data is accessed, destroyed, modified or released, without this being the intention or being legally allowed. Data breaches come in all shapes and sizes, ranging from accidental distribution of your colleagues’ email addresses in CC in an email to an external supplier and leaving a document with a reorganisation plan containing your colleagues’ names behind on the printer to the classic case of losing a USB stick on which all kinds of personal data from the organisation is saved. 

If you work with personal data, then you must always ask yourself several questions. For what purpose am I actually collecting personal data and am I in fact permitted to collect it (in other words, do I have a basis for doing so)? And if I do collect personal data, which data do I need at minimum in order to fulfil my purpose? Do the data subjects know that I am collecting their personal data and for what purpose I am doing that? These questions are discussed in further detail on the page 'What are the risks and how can I reduce them?'.

When sharing personal data with others, there are also several basic principles you must apply. Which type of document contains the personal data and are you allowed to share the data with others based on the classification of the information in that document? What authorisation do you yourself have in the organisation and do the people with whom you will share the data have the same access levels (‘authorisation’) with respect to this data? Especially when working in cloud-based applications, you must pay particular attention that the way in which you share files and folders is in keeping with the access level of the people with whom you are sharing them.

Working securely with personal data needs to be second nature. In addition to general digital hygiene as discussed previously in this course, this also involves the awareness that you must never lend business equipment to anyone, not even when at home. It also concerns social aspects such as hierarchical relationships: can the person from whom you are requesting access to their personal data decide whether or not to give their consent of their own free will? And can that person withdraw their consent later without feeling pressured?

As you can see, the handling of personal data is an interesting and wide-ranging subject. In this chapter you will learn how you can guarantee you are handling personal data as securely as possible and thus how you can minimise the risk of a data breach occurring. And if things do go wrong, respond immediately and report the data breach right away to [add contact details]. They will then determine what action can subsequently be taken. You may not and must not decide that yourself.

As usual, we will begin each module with a short quiz so you can find out what you already know about the various subjects.

 

Good luck with the fourth module!

What do you already know?

Key terms

Reading time
10 minutes

What will you learn?
You will learn a few key terms relating to data breaches and ways in which you can prevent data breaches as much as possible.

Summary 
‘A data breach concerns the unauthorised access to or unintentional release of personal data. But it also concerns the unwanted destruction, loss, modification or disclosure of personal data', according to the definition of the Dutch Data Protection Authority. So a data breach can refer to the loss of a USB stick containing personal data, but also the unintentional sending of a series of your colleagues’ email addresses to an external supplier.

When collecting and sharing personal data, you can minimise the risk of data breaches occurring by thinking critically in each case about which personal data is strictly necessary in order to the fulfil your desired purpose, deleting this data again when it is no longer necessary for fulfilling that purpose, informing the data subjects about the processing of their data in a transparent manner and taking all protection measures discussed previously.

Here, too, it is important to be properly informed about the rules of conduct in relation to the classification of information: which actions are you allowed to take with which types of information? If things do still accidentally go wrong, you must inform the [insert department] of this immediately.

Mission Impossible?

The 'Nonofficial Cover List', also referred to as the 'NOC list', was the list of all names of secret CIA operations and the people who took part in them. This list formed the basis of the film ‘Mission Impossible’, in which Tom Cruise is motivated to take extreme measures to steal it...
 


If the NOC list were stolen, that would constitute the biggest data breach in CIA history. It would mean that all operations and infiltrators would be revealed to the outside world in one fell swoop. Fortunately, most education institutions do not have this kind of top secret material at their disposal, but even at an education institution, there is enough personal data that you prefer not to share with unauthorised persons...

And frankly, a data breach need not be very serious at all to have unpleasant consequences for the data subjects involved. The intentional or unintentional sharing of data such as salary scales, medical data or even email addresses is already considered a data breach. An accident might be just waiting to happen. Have a look at this example:
 

An employee from the Personnel Department accidentally forgets to lock their computer screen when leaving their workspace for a quick visit to the toilet. A colleague of theirs who just then happens to walk by, briefly glances at the screen and sees a list of names of employees who will probably lose their jobs in the next reorganisation. Or a manager accidentally sends an unencrypted file containing a list of all assessments of the team members to the entire team, instead of the HR department.

 

That's how quickly and easily a data breach can occur. Often there are no bad intentions behind it, but human clumsiness, which can have big consequences for the data subjects involved. The principle ‘Only allow the right people access to the right data’ therefore sounds extremely obvious, but requires a procedure which prioritises privacy and security with each and every action taken (particularly in the handling of personal data). Fortunately, you can greatly reduce the risk of a data breach occurring by teaching yourself to follow a few simple routines.

 

Read carefully what the different terms mean. On the next page you will discover the most important do's and don'ts regarding the prevention of data breaches.

 

Privacy rules of thumb

The General Data Protection Regulation (GDPR) is about personal data. The first question is therefore always: in which operations in my work do I process personal data? The GDPR applies only to those operations. Watch the general video below about the GDPR first and then read the key points for dealing appropriately with the GDPR in your work.
 


So the GDPR is based on six principles, which are also referred to as the rules of thumb. These rules of thumb are important for employees when working with personal data. By consistently applying these rules of thumb, you can lower the risk of mistakes being made in the handling of personal data.

The six rules of thumb, plus, in each case, a corresponding question, are listed below. If, in the course of handling personal data, your answer to one of these questions is ‘no’, then you will have to adjust the way in which you collect or share your personal data, for example by better informing the data subjects (‘Transparency’), destroying the personal data (‘Storage limitation’) or asking for a nickname rather than a real name in a particular app (‘Data minimisation’).

Schermafbeelding 2020-08-26 om 00.10.09.png

 

Data breaches

A data breach concerns the unauthorised access to or unintentional release of personal data. But the undesirable destruction, loss, modification and disclosure of personal data are also considered a data breach. The General Data Protection Regulation pertains only to living individuals. If an archive folder from the Faculty of Archaeology containing the first and last names of deceased soldiers from 1918 is stolen, that does not constitute a data breach.

If a laptop or other business device is stolen, that does not necessarily mean a data breach has occurred, either. If you have always worked in the cloud wherever and whenever you have used the laptop and there are no files saved locally on it, then the fact that it has been stolen is very unpleasant, but it does not constitute a data breach. The situation is different, of course, if an unencrypted USB stick containing medical files or a paper version of the facebook falls into unauthorised hands.

So when is something considered a data breach? In principle, that is not for you to decide. That may sound inconvenient, but in our organisation, that responsibility lies with [insert contact details]. So anytime something goes wrong in relation to personal data, it is therefore essential that you report it to them immediately. If you fail to do that and the mistake is discovered later, then the consequences for the data subjects will in most cases be more serious than if you had reported the incident straightaway.

Moreover, your organisation may be required to report the incident to the Dutch Data Protection Authority. If that is the case, this must be done and soon as possible after the incident has occurred; reporting the incident late may lead to your organisation incurring a large fine. You should therefore report incidents immediately (and not hours or days later) to [insert contact details], even if you are unsure whether the incident in question meets the definition of a data breach.

What are some examples of possible data breaches?

- Emailing documents or text containing personal data to the wrong recipient.

- Emailing your colleagues’ email addresses in CC to the wrong recipient (an email address is also personal data if it can be traced back directly to a specific person).

- Unintentionally or inadvertently losing access to personal data.

- If there is ransomware installed on your computer as a result of which hackers can gain access to your files.

- Improperly configured authorisation in a collaborative environment in which personal data is also stored.

- Using the your manager's account to log in, as a result of which you have unauthorised access to HR data of your colleagues.

- Sharing personal data with an external party without having made clear agreements (in accordance with the GDPR) about it.

- Leaving printed documents containing personal data in the printer or the rubbish bin. 

 

Classification en authorisation

Classification refers to assigning one or more labels to information (e.g. information in a digital or printed document, confidential discussions, etc.), so that you as an employee know how you may/must handle the information, for example where you are permitted to publish a document, how big the risk is if an unauthorised individual eavesdrops on a confidential discussion or if they read a whiteboard on which confidential information is written. By being aware of the classification of information, you can reduce the risk that the content will be improperly distributed and, as such, of possible data breaches. You can read here [add download location] which classifications we apply and what the etiquette is for each classification.

Authorisation determines which employee has access to which information. Each employee must only have access to the information relevant to their specific position. If, for example, you share a particular folder with your colleagues in the cloud, be extra careful that only those individuals who are authorised to view the content are given access to it. Always ask yourself: who will be able to access these files if I save them in a particular folder? Is it necessary to lock the folder for added security? And who should I CC when sending out a sensitive document (thus giving them access to that document)?

 

Do you have any questions about any of these topics? Then you can always contact [contact information ICT / Helpdesk]. Thank you for your cooperation!

What are the risks and how can you avoid them?

Reading time
11 minutes

What will you learn?
In this component you will learn how you can make sure that only the right people are able to access the right data, both in situations in which you need data from others and in which others need data from you and how you can handle data from your organisation in a secure manner.

Summary
As soon as you use someone else's data/personal data in your work, you must ensure there is a sound basis for doing so, i.e. that you have a good reason for using that data, that you don't use more data than strictly necessary for your purposes and that the data subjects know that their data will be used for those purposes. If you are going to share other people's data/personal data, make sure that what you are sharing and with whom you are sharing it is in keeping with the original purpose for which the data was collected, that the data subjects know with whom their data will be shared and that you only share it with the right people.

In order to be able to work with data in a secure manner, it is important that you are aware of the classification of information and that for each type of data, you know the rules which are relevant to your position. In this context, remember that handling data in a secure manner not only pertains to digital documents, but also, for instance, a whiteboard covered with notes, a cupboard in an office or documents lying in a rubbish bin.

And if you do accidentally cause a data breach, it is very important that you report this immediately to [insert name/contact details of individual/department].


Data breaches

Sharing data with people who are not authorised to access it constitutes a data breach. The potential impact of a data breach on all data subjects is huge; just have a look at the discussion about a possible app for tracking the spread of the coronavirus:
 

Just because data breaches which occur at our education institution impact fewer people than a data breach in a coronavirus app, does not necessarily make them any less serious for those who are directly affected by it. Fortunately, you can minimise the risk of a data breach occurring in the course of your own work in a relatively simple manner, and thus guarantee that the handling of your own data and that of others takes place in as secure a manner as possible.

For each scenario, can you work out what the most important actions are for preventing a data breach?

 

I want to collect personal data. What do I need to consider?

Everyone needs to use other people's personal data from time to time in their work, for example because, as a researcher, you are required to film people or as a confidential advisor, you must compile a concise report of a discussion with an employee or simply because you want to put up a birthday calendar for your department.

You are definitely not automatically permitted to collect personal data, not even if the collection will take place in the context of one's formal duties. The collection of research data which consists – at least in part – of personal data must conform to the same principles as the student facebook put together each year by a lecturer. Those principles are not complicated, but they are of tremendous importance if you want to use other people's personal data.

What do you think are the six most important principles if you want to use someone else's personal data?

 

The basic rules for collecting personal data are that you must:

1. Legal basis

Have a legal basis. Do you have valid a reason for collecting the data? There are six lawful bases for the collection of personal data, including the performance of a contract, a legal obligation (e.g. the data must be transferred to the Tax and Customs Authority) or consent. If the basis is ‘consent’, you must ensure that the consent was given freely and on a properly informed basis and that the person can also withdraw their consent at any time. In addition, you must be able to demonstrate at all times that you have obtained consent for the collection of the personal data. Therefore, consent does not remain valid indefinitely, as it can always be withdrawn again.


2. Data minimisation

Not collect more data than is necessary to fulfil the intended purpose. Any purpose could be legitimate, but you must be able to account for why you are requesting the data. For example, if a student is going abroad, you might also ask for the parents’ data in order to have a backstop in case of an emergency. However, you cannot for example request all kinds of arbitrary personal data from prospective students at an open day: that is not a legitimate purpose.


3. Purpose limitation

Only use the personal data for the purpose for which it was collected. For example, if students start working as a student assistant at their own institution, you may not use the data from the student administration for this purpose. The student must resubmit their own data to the personnel administration. Email addresses from work placement companies are another example: you are not automatically permitted to use these to inform them of all kinds events, conferences, etc.


4. Security

Always arrange for the appropriate security/protection features, such as access restriction, encryption, 2FA, etc., in order to prevent data breaches wherever possible.


5. Transparency

Always inform the data subjects (the people whose personal data you are processing) in advance why you need the data, with whom you are going to share it and how long you will store it. That will not always happen in a particularly formal way (such as when including your colleagues in a birthday calendar or adding people to a WhatsApp group), but be aware that it is your responsibility to inform the data subjects about how you will handle their data. You must also always inform them of any changes that will be made in the usage of their personal data (and perhaps also request their consent again if the purpose will change, as well).


6. Storage limitation

Actually have the personal data archived or deleted if you no longer need it. If there is no legitimate storage limitation, you must delete the data immediately after achieving your purpose.

 

I want to share data. What do I need to consider?

As soon as you have gathered the personal data that serves your purpose, you may want to share it, for example by including it in the birthday calendar, publishing it in a research report, using it in a new app for students or sending the requested medical files to the occupational physician. But what rules apply in these cases? In what way are you actually allowed to share data?

It seems so obvious: creating a WhatsApp group, sending a file to an external party so you can quickly move forward with your project. But the effects of sharing personal data should not be underestimated. In our digital era, one false move can have big consequences. That does not mean that we should share less data with each other, but it does mean we should be fully aware of the risks if things go wrong.

What do you think the three most important items for consideration are when sharing personal data with others?

 

 1. Is it still in keeping with the original purpose for which the personal data was collected?

If you are going to share the personal data with others, ask yourself whether the purpose of the distribution of personal data is (still) in keeping with the original purpose for which the data was once collected. The list of student email addresses was probably not originally compiled in order to be uploaded to the latest fun app. And the facebook is probably not intended for the purpose of coming up with questions for the Friday afternoon pub quiz. This also applies to any documents you want to share with external parties: if the document containing personal data is not in principle intended to be shared with external parties, then you are not simply permitted to do so.


2. Inform people

If you want to share personal data with others (internally or externally), make sure that the data subjects whose data you are going to share are aware of why, where, with whom and for how long you will to share this data. 


3. Only share data with the right people

It sounds so obvious, but this often goes wrong accidentally. That one email which goes to the wrong external recipient or letter that goes to the wrong postal address, the forgotten document containing personal data in the printer or the Excel file from HR on your laptop which you leave open while going to the toilet. If you work with personal data, pay particular attention to handling that data in a secure manner. And if things do still go wrong, always report this to [insert contact details].

 

I want to handle data in a secure manner

Information has varying degrees of confidentiality at every organisation. Certain information is publicly available on the website, other information is only accessible on the intranet and still other information is only available to the management board; so each type of information has a specific ‘classification’. The information you have access to depends on your position and it is important that you know what the rules are for each type of classification.

With whom are you allowed to share certain information? What are the requirements for sharing that information? And what are the potential risks if you share certain information with unauthorised individuals? These questions not only relate to digital documents, but to all information within our organisation, in fact. A whiteboard which is covered with notes after a meeting, the content of your rubbish bin and that open cupboard with archive folders in your office also fall into this category.

What do you think the four most important items for consideration are for guaranteeing information is handled in a secure manner?

 

1. Know your authorisation and be aware of the rules for all classifications

Each employee has access to certain information in the organisation. An HR employee can inspect personnel files, a controller is aware of the current financial situation and a lecturer knows about the students’ study progress. Our organisation has various types of information: public information, internal information, confidential information and restricted information [insert the classifications yourself here]. The rules for handling each type of information are described in the protocol [insert title and location of document with classification rules]. Read this protocol thoroughly so you know how you can guarantee that the information you have access to in your position will be handled in a secure manner.


2. Protect the access to information

By practising proper ‘hygiene’ in the handling of all information within our education institution, you can avoid most of the risks of data breaches. The basic principles in this respect have already been discussed in the various modules of this course: always ensure your software is up to date, encrypt your hard drives, avoid syncing your business cloud storage with your personal equipment and avoid using public WiFi networks, unless you make use of a VPN connection. This also applies to analogue information, such as whiteboards and flip charts, open cupboards and desk drawers, unlocked laptops, etc.


3. Do not lend your business equipment to others

Especially not at home. It seems so easy to just give your housemates your laptop so they can watch that great Netflix film. But precisely at that moment, you receive a message from work, someone clicks on it and suddenly your housemate is in the middle of an email conversation. Or your children download that new game on your business telephone, with all the associated risks of ransomware being installed. Or the adolescents in your house, who send a ‘funny’ text message back to your manager just for fun with all the associated consequences. When it comes to business equipment, follow this simple principle: never lend it to anyone.


4. Always report incidents!

And of course, everyone makes mistakes from time to time. You may unintentionally and inadvertently forward information to the wrong person, click on a suspicious link or forget your laptop on the train. We can search for the best solution together, but then it does need to be clear what exactly has transpired. Report every suspicion of a data breach to [insert contact details]. You are better off making one too many than too few reports. Privacy and security are, after all, a human effort.
 

All information about the handling of information at our school is laid down in the 'Information Security Policy'. You can download and view this document via the button below:

Read everything about our 'Information Security Policy'

Challenge & further assistance

Let's get to work!

Now you know how you can make sure that only the right people can access the right data. Now it's time to test how well you can put this into practice!

On this page, you will find a fun and educational ‘challenge’ you and your colleagues can do together. With this challenge, you and your colleagues will gain insight into the degree to which you may, from time to time, whether intentionally or not, leak data within your team/department. By clarifying this for each other, you will create a good starting point for a discussion, which can contribute towards a greater awareness when it comes to privacy and security.

Good luck!

 

Challenge: Who is the biggest data leaker?

 

All information from this entire course basically comes together in this challenge. By actively searching for data breaches caused by your colleagues, in rubbish bins, on shared hard drives, in cupboards and on unlocked screens, you can make each other aware of how easily a data breach can occur.

Goal: to become aware of the degree to which you and your colleagues leak data within your team/department and come up with measures together to prevent this.

Participants: it is recommended to only do this challenge with a limited number of employees, since all team members may end up seeing personal data about each other. Sufficient trust must exist between team members to be able take on this challenge together.

Execution: In this challenge, you and your colleagues will get to work as a team on trying, as far as possible, over the course of one week, to catch each other in the act of leaving personal data unattended, without touching each other’s equipment or using illegal software to get each other to divulge data. Each participant will save the data collected in an encrypted document: this document will form the starting point for the final discussion about the measures to be taken.

Bonus execution: you can expand this challenge to include data carriers which do not contain personal data!

To carry out this challenge, you should complete the following steps:

  1. Put together the team which will carry out this challenge, keeping in mind that participants may be able to view personal information about each other after one week.
     
  2. Communicate the rules to all participating employees:

- For an entire week, we will try to collect as much personal or other sensitive information which is 'leaked’ by the other participants.

- Keep doing your work wherever possible as usual, but try to pay extra attention during this week to all of the security measures mentioned in this course.

- You can try to uncover data breaches caused by other participants in various ways, for example by:

* looking in each other's rubbish bins

* looking at documents lying around on each other's desks (without touching these documents)

* looking at unlocked computer screens (without touching the computer)

* trying to elicit the sensitive information while having a conversation

* investigating which files and folders on a shared drive may not be properly protected

* peeking into another participant's open or unlocked cupboard or desk

* eavesdropping on another participant's conversation on public transport

* etc.

- If you have found sensitive information, save it in a Word document, which you protect with a password. Do you know how to do that? Then have a look at this step-by-step plan: [insert step-by-step plan for protecting Word documents].

- Keep your activities safe, don't touch any of your colleagues’ things and report any serious data breaches you discover to each other immediately. The object is to increase awareness, not to pillory or make a fool of each other.

  1. At the end of the week, the team leader will collect the documents from the participants and show these on the beamer during the debriefing.
     
  2. The challenge will end with an evaluation discussion, in which the participants will share the information they found with each other and if possible will reach agreements for handling sensitive information more carefully, both online and offline.
     
  3. At the end of the challenge, destroy all files in which sensitive information has been collected by the participants.

 

All quick wins related to the principle 'Only allow the right people access to the right data' can be found in a handy list below:

Data minimisation: Are you going to collect personal data? You should always ask yourself critically whether or not you can also achieve your purpose with less data.

Classification: Look in more depth at the various classifications that exist for all of the documentation at our education institution and the rules associated with each classification.

Data breaches: Be aware that is not up to you to decide how serious a data breach is or whether or not action needs to be taken. Report all data breaches immediately to [insert contact details]: they will follow up on your report.

Lending business equipment to others: one simple rule. Don't do it!

Any other questions? If you have any other questions about data breaches and what action you should take if you experience one, please contact [add contact details].

Principle #5: Help each other on the path to the right behaviour

What do you already know?

What are the risks and how can you avoid them?

Reading time
8 minutes

What will you learn?
In this component, we will look at how employees can help each other jointly display the proper behaviour when it comes to privacy and security. You will learn why calling each other to account for your behaviour is important and when you can do it.

Summary
This last principle may well also be the most difficult. Helping each other display the appropriate behaviour when it comes to privacy and security naturally means that you yourself must set a good example – and not only at the office, but also when you are on the road and when using your personal equipment at home.

Our behaviour is usually not at all intended to deliberately sabotage anyone's privacy, but that can still be the end result, for example if you ask others for too much personal information or connect people on all kinds of social media, for example by adding them to WhatsApp groups, without their permission. So don't be afraid to draw each other's attention to unlocked computer screens, open cupboard doors and rooms, requests for more information than necessary, unsolicited connections and excessively loud business telephone conversations on crowded trains.

By making sure we help each other learn the appropriate behaviour, we can pave the way together for a reliable and pleasant learning, working and living environment. And that not only makes you feel good, it makes everyone else who is involved now in our education institution and who will be involved in it in future feel good, too.


Always connected

These days, we can keep working, anytime and anywhere, from any device. At any given moment during the day, we are capable of sending each other files, editing documents and carrying on conversations with each other. It is remarkable how fast this development goes. Look at these kids trying to make a call with a rotary phone...
 


The flipside is that we have to be more and more aware of the potential risks involved in this connectivity. And the insanely fast pace of the technological developments, makes it all the more important to take on these challenges together, by carrying on talking to each other about privacy and security, daring to call each other to account and being open to suggestions for improving your own behaviour.

Can you work out what the most important items for consideration are when it comes to helping each other on the path to the right behaviour?

 

Don't request more than is necessary

It seems so easy to just send your colleague an email, asking them to forward that one list or file to you. You are colleagues, after all, so why would they refuse? But that is precisely where things tend to go haywire; in a business context, you need to be extra careful with personal and other sensitive data. Fortunately, a few simple principles exist for handling this appropriately.

What do you think the three most important principles are?

 

1. Why do you need the data?

If you receive a request for certain sensitive data from a colleague, it is perfectly fine to ask them why they need that data. Perhaps you will both reach the conclusion that the colleague can also move forward using less data. You should both take responsibility for data minimisation by constantly asking yourself whether it is possible to ‘make do’ with less data. Help each other, offer your input to each other and try wherever possible to reduce the amount of sensitive data transmitted both internally and externally as much as possible.

2. Know what you are permitted to request

Don't pressure each other by requesting data which your colleague doesn't actually want to simply hand over. For example, if you ask a junior colleague to create a WhatsApp group and to add certain employees to it, it may be difficult for them to say ‘no’. Take hierarchical relationships into consideration and make sure that employees and students are free to either give or withhold their consent for the use of their personal data.

3. Don't create shadow files

Don't request data from others that is already neatly saved in a system, document or list, for instance. If you do, then you will be creating a shadow file, as a result of which the data will then suddenly also be saved on your equipment, and can thus be distributed further or hacked into or infected with a virus. There is an additional risk that you will forget to delete these files when you no longer need them and that the data will no longer be updated, as a result of which the information may no longer be up to date. This could include lists of students who have already been unenrolled and still appear on a lecturer's class list or very embarrassing situations in which messages are sent to people who have since passed away.

 

Set a good example

Sometimes, you should not make things more difficult than necessary: set a good example. And this is especially important when it comes to privacy and security, since not all employees and students are already fully aware of the importance of handling this appropriately. Role models are needed in order to demonstrate the desired behaviour to employees and students and show them what the advantages are for yourself, your colleagues and the organisation as a whole of complying with the principles from this course.

What do you think the three most important locations are for setting a good example?

 

1. In the workplace/at your office

Whenever you walk away from your desk, always check whether you have left everything behind in a secure condition. Is your screen locked? Are there any sensitive documents lying on your desk? Are the cupboard doors closed and are there any post-its in the rubbish bin with sensitive information written on them? Make a habit of leaving behind your own workstation in a proper state, so that you set the right example for your colleagues. And if you are the last to leave the room, always lock the door behind you.

2. On the road and at home

It often happens unconsciously; you take a business call on the train, lend your business telephone to your children or quickly sync your cloud services with your personal equipment. All very understandable, but not without risks when it comes to data breaches. You must therefore also be aware when you are on the road and at home of the risks and possible consequences each time you handle sensitive data. Never mention names on the telephone if ‘strangers’ can hear you, don't lend your business equipment to ANYONE and maintain a strict division between your business and personal files. No doubt we do not need to repeat again here that you must always ensure your software is up to date and must never use public WiFi...

3. Digital hygiene

While it is almost never with malicious intent, amid the growing numbers of folders and files on our business equipment, something occasionally goes haywire. A colleague shares the wrong folder with you and suddenly you have access to data which is not intended for you. Or you notice that you can no longer access certain data because a colleague has accidentally deleted it. For every action you take in the digital world, it is a good idea to always double check first whether what you are going to do is actually what you were intending to do. And if you see that things have gone wrong for a colleague, point it out to them in a friendly way. There's a good chance that your colleague does not realise something did not go entirely according to plan, until you point it out to them...

 

Be aware of the possible consequences

As unpleasant as it is, if a blunder is made with regard to privacy and security, it can have considerable consequences for everyone involved. But we prefer to look at the positive side: by being aware of the damage that can occur, you will strengthen your motivation to do the right things yourself and to help your colleagues to do the same. In this way, we work based on a positive approach on a shared goal: creating an organisation where dealing with privacy and security properly and consciously is deeply rooted in the DNA of all employees and students.

What do you think is the most important benefit for organisations where everyone complies with the rules for dealing properly with privacy and security?

 

1. Control

By properly adhering to the principles from this course, we can ensure we are in control of all sensitive data at our education institution. We then know where which data is stored, that all data is protected, that the data is correct and that only the right people have access to certain data. This greatly reduces the risk of a data breach occurring.

2. Reliability and professionalism

Dealing appropriately with privacy and security has a positive effect both internally and externally. Internally, employees will perceive privacy and security as a permanent part of every process, which may reinforce the feeling of security and reliability. This, in turn, will increase their job satisfaction. And for students, suppliers, etc., dealing appropriately with privacy and security will lead to closer relationships and a professional image.

 

All information about the handling of information at our school is laid down in the 'Information Security Policy'. You can download and view this document via the button below:

Read everything about our 'Information Security Policy'

Challenge & further assistance

Let's get to work!

Now you know how you can help each other learn the right behaviour when it comes to privacy and security. Now it's time to test how well you can put this into practice!

On this page, you will find a fun and educational ‘challenge’ you and your colleagues can do together. With this challenge, you and your colleagues will decide yourself which goals in relation to privacy and security you want to have achieved together by the end of the week.

By jointly formulating concrete goals, talking about these and then also trying to achieve them, you and your colleagues can collectively contribute to an increased awareness when it comes to privacy and security.

Good luck!

 

Challenge: Our mission!

 

Goal: to achieve your team's objectives through collaboration and thus raise awareness with regard to privacy and security.

Participants: it is recommended to only do this challenge with a limited number of employees, since all team members may end up seeing personal data about each other. Sufficient trust must exist between team members to be able take on this challenge together.

Execution: In this challenge, you and your colleagues will develop your own objectives, depending upon the subject which you wish to focus on. In so doing it is important that these are objectives which can be achieved jointly as a team and of which the progress can easily be verified at the end of a week, for instance. These can include for example that no one has left sensitive information in the rubbish bin, that no one has left a computer screen unlocked or, alternatively, a combination of various objectives.

To carry out this challenge, you should complete the following steps:

  1. Put together the team which will carry out this challenge, keeping in mind that participants may be able to view personal information about each other after one week.
     
  2. Communicate the rules to all participating employees:

- For an entire week, we will try to [fill in your own objectives here]

- Keep doing your work wherever possible as usual, but try to pay extra attention during this week to all matters relating to your chosen objectives.

- We will take on this challenge together. If, by the end of the week, we have achieved the objective(s) together then [fill in a reward for the entire team, where applicable].

- Help each other wherever possible, call each other to account (in a friendly manner) for blunders and explain why you are calling that person to account for this.

- Keep your activities safe, don't touch any of your colleagues’ things and report any serious data breaches you discover to each other immediately. The object is to increase awareness, not to pillory or make a fool of each other.

  1. At the end, the team leader will check together with the players whether the objective(s) has/have been achieved.
     
  2. The challenge will end with an evaluation discussion, in which the participants will discuss the objectives with each other and wherever possible, reach agreements for handling sensitive information more carefully both online and offline.
     
  3. Celebrate the victory if the objective(s) has/have been achieved!

 

Any other questions? If you have any other questions about helping each other achieve the right behaviour, please contact [fill in contact details].

  • Het arrangement Digital license 'Employee' is gemaakt met Wikiwijs van Kennisnet. Wikiwijs is hét onderwijsplatform waar je leermiddelen zoekt, maakt en deelt.

    Auteur
    Digitaal brevet 'Privacy & Security'
    Laatst gewijzigd
    04-12-2020 16:31:07
    Licentie

    Dit lesmateriaal is gepubliceerd onder de Creative Commons Naamsvermelding 4.0 Internationale licentie. Dit houdt in dat je onder de voorwaarde van naamsvermelding vrij bent om:

    • het werk te delen - te kopiëren, te verspreiden en door te geven via elk medium of bestandsformaat
    • het werk te bewerken - te remixen, te veranderen en afgeleide werken te maken
    • voor alle doeleinden, inclusief commerciële doeleinden.

    Meer informatie over de CC Naamsvermelding 4.0 Internationale licentie.

    This ‘Digital Certificate in Privacy & Security for Employees’ course was developed with the help of various people:

    Commissioning party: Albert Hankel (SURF)

    Production of e-learning module: Sander van Acht (Flooow)

    Experts involved: Anita Polderdijk-Rijntjes (Security & Privacy Advisor and Data Protection Officer, Windesheim University of Applied Sciences)

    Astrid Gravenbeek (Data Protection Officer, Leiden University)

    Gerrit Vissinga (Information management advisor, Windesheim University of Applied Sciences)

     

    Image credits:

    Photo by Alexander Sinn on Unsplash

    Photo by Ben Kolde on Unsplash

    Photo by Markus Spiske on Unsplash

    Photo by Eric Rothermel on Unsplash

    Photo by Jilbert Ebrahimi on Unsplash

    Photo by Markus Spiske on Unsplash

    Photo by Kelly Sikkema on Unsplash

    Aanvullende informatie over dit lesmateriaal

    Van dit lesmateriaal is de volgende aanvullende informatie beschikbaar:

    Eindgebruiker
    leerling/student
    Moeilijkheidsgraad
    gemiddeld
    Studiebelasting
    4 uur 0 minuten

  • Downloaden

    Het volledige arrangement is in de onderstaande formaten te downloaden.

    Metadata

    LTI

    Leeromgevingen die gebruik maken van LTI kunnen Wikiwijs arrangementen en toetsen afspelen en resultaten terugkoppelen. Hiervoor moet de leeromgeving wel bij Wikiwijs aangemeld zijn. Wil je gebruik maken van de LTI koppeling? Meld je aan via info@wikiwijs.nl met het verzoek om een LTI koppeling aan te gaan.

    Maak je al gebruik van LTI? Gebruik dan de onderstaande Launch URL’s.

    Arrangement

    Oefeningen en toetsen

    What do you already know?

    What do you already know?

    What do you already know?

    What do you already know?

    What do you already know?

    IMSCC package

    Wil je de Launch URL’s niet los kopiëren, maar in één keer downloaden? Download dan de IMSCC package.

    QTI

    Oefeningen en toetsen van dit arrangement kun je ook downloaden als QTI. Dit bestaat uit een ZIP bestand dat alle informatie bevat over de specifieke oefening of toets; volgorde van de vragen, afbeeldingen, te behalen punten, etc. Omgevingen met een QTI player kunnen QTI afspelen.

    Versie 2.1 (NL)

    Versie 3.0 bèta

    Voor developers

    Wikiwijs lesmateriaal kan worden gebruikt in een externe leeromgeving. Er kunnen koppelingen worden gemaakt en het lesmateriaal kan op verschillende manieren worden geëxporteerd. Meer informatie hierover kun je vinden op onze Developers Wiki.

  • Wikiwijs is een dienst van