The advice on this page helps UGent employees to perform IT-safe professional activities for UGent, both when teleworking and within the UGent buildings and network.
Note: IT security at UGent is constantly evolving, so these advices are still being updated.
Working safely with UGent IT resources and data is important for every UGent employee, not only to be able to do their own work correctly and safely, but also because local IT security problems can have serious negative consequences for colleagues and the rest of the UGent IT infrastructure.
We distinguish between:
- Working on a device managed by DICT (typically with Microsoft Intune): definitely preferable for professional activities for UGent.
- Working on a device you manage yourself, the "Bring Your Own Device" (BYOD) concept: good for occasional use for professional activities, at least if you have secured the device yourself sufficiently.
- Working on another device: not advisable for security reasons unless you have sufficient guarantees that the device is correctly and professionally managed and reliably secured.
You yourself always bear an important co-responsibility for handling UGent's professional information securely. Therefore, think about the risk content of the data you work with, especially if you work with personal data or other confidential information. Even if you work with the devices and software managed by DICT, it is necessary to use common sense to assess possible risks. Depending on the risk content of the data, additional technical measures such as encryption of the data may still be appropriate.
When in doubt, seek advice, for example from a local IT administrator in your area or (in the case of research projects) from DOZA's data stewards, or from DICT's IT specialists, via the DICT helpdesk.
Inform the DICT helpdesk as soon as possible if you suspect that your account or device has been hacked or any other IT security incident, and follow the instructions you are given. Also report theft or loss of professional IT equipment such as laptops or smartphones.
You must also notify the DICT helpdesk as soon as possible if a data breach is suspected, in which personal data or other confidential information or other important data may have fallen into the wrong hands.
Take care of your UGent account
Take care of your UGent account and your login and multifactor authentication (MFA) details.
- Use a strong password, in accordance with UGent's password policy.
- Keep your UGent password strictly confidential, and never use your UGent password for other, external services.
- Change your password as soon as it is suspected that your password has been leaked or compromised.
- Do not let anyone work under your personal account.
- Never give login details of your UGent account to others, including those you trust.
- Avoid storing passwords in readable form on your device or elsewhere.
- Avoid using the 'remember passwords' function of browsers, use a reliable password manager instead.
- Do not send passwords by e-mail
- Don't just leave your devices unattended. Lock the device or log out, even if you are only away from the device for a short time.
- Remember to log out after using a public or shared device.
DICT actively tracks suspicious login activity and takes measures to prevent or stop hacking of UGent accounts and devices. You may be asked to change your UGent password. In the event of sufficiently serious indications, DICT may also temporarily block your UGent account or device. You will be informed to the extent possible.
DICT recommends registering an alternative, private e-mail address in your UGent personal data. This way, DICT can contact you if there would be security problems with your account or device. Make sure you can also read that personal mailbox (e.g. on your smartphone) if your professional laptop is unusable and that the account of your private e-mail address is also sufficiently secured (e.g. with MFA).
Work on a well-secured device
Preferably work on a professional device managed by DICT with Intune, which is automatically well secured and allows you to log in smoothly and safely with your UGent account. However, good security does not mean you no longer have to watch what you are doing; you remain responsible for correct and safe use.
On a managed device where you yourself are the primary user, you are automatically given extensive rights, e.g. to install software yourself.
For security reasons, it is forbidden to let family members or others work with your professional device under your UGent account. On a managed device of which a UGent colleague is the primary user, or on a shared device (i.e. a device without a primary user), you can also log in and work with your UGent account, but only with ordinary user rights. Use for personal purposes of professional devices (including recreational and business use outside the UGent context) is allowed, on the understanding that you must then take the necessary care for correct and safe use yourself. DICT monitors the security status of Intune-managed devices and may take appropriate action where security requires it.
Bring Your Own Device (BYOD)
By BYOD devices of employees, we certainly mean not only smartphones or tablets, but also private desktops or laptops that are mainly for private use (i.e. for personal or recreational purposes), but are also occasionally used for professional work or teleworking. Since these devices are not managed by DICT, you yourself are responsible for the proper security of such devices.
Be well aware of the risks that BYOD devices can pose: a hacker can monitor all activities on an insufficiently secured device infected with malware and capture sensitive information without you even noticing. Your UGent account is also compromised in such a situation and can be misused on other UGent devices and UGent IT services. The hacker could potentially even further abuse your device to attack the entire UGent IT infrastructure.
Minimum security measures before you are allowed to do professional work with a BYOD device:
- Make sure your device's operating system is and remains fully up-to-date.
- Make sure all installed applications are and remain up-to-date.
- Do not install applications downloaded from the internet or sent via email without security guarantees. This way you avoid infections with viruses or malware.
- Use professional anti-malware (antivirus) software with the latest updates.
- Secure logging in to your BYOD system with a password, PIN or other secure alternative.
- Set a security PIN on tablets and smartphones at the minimum.
- Make sure locally stored data is encrypted (e.g. with Bitlocker on Windows and FileVault on macOS)
- If family members or third parties use the same BYOD device, this may not be done under the same account as the one with which you perform work for UGent, create an extra local account for them without extra rights.
Work via a reliable network
Within the UGent buildings, you work on UGentNet, the IT network managed by DICT, via a wired network connection, or via a WiFi connection with Eduroam.
When teleworking, you use a network that is not managed by DICT (a home network, a 3G, 4G or 5G mobile Internet connection, ...) Be careful when working on location via a public WiFi hotspot or via another unknown network. Hackers can intercept and abuse data traffic over an insufficiently secure network quite easily. When in doubt, set up a UGent VPN connection.
With a UGent VPN ("Virtual Private Network") connection, your device is (virtually) in the UGentNet via a secure (encrypted) channel.
Stay alert and be sufficiently aware of common IT security risks
- Do not get caught by phishing: do not accept suspicious invitations to reveal confidential data. Phishing e-mails are the main primary cause of IT security incidents.
- Only enter your UGent login and password in known, trusted applications and only via the known, trusted central Microsoft-based UGent login service.
- Your UGent account is secured with multifactor authentication (MFA). Use the MFA with discipline, giving your second approval only if you are actually going to log in to a trusted application.
- Do not open e-mail attachments that you do not fully trust, and certainly not executable files. You could thus infect your device with malware (virus, spyware, ransomware, ...)
Use the services offered by DICT for data storage
DICT recommends its own data storage service (storage) for all UGent professional data. The security and availability of data on the central infrastructure is guaranteed by DICT's specialists. Besides protection against unwanted access, the data are also protected against unwanted changes or loss by means of various back-up scenarios.
Keep your data management in order and, for your well-defined use-case, make correct use of the various options DICT supports: OneDrive-for-Business, central storage (with personal disk space and shares), HPC storage, ... Avoid working with local copies of data that are only stored locally on a device (desktop or laptop).
If, exceptionally, you do telework with a device that is not managed by DICT or yourself, make sure that no local copies of professional data end up on such a device and certainly no personal or other confidential information.
For data storage in research projects, get advice from DOZA's data stewards if necessary.
Use of software offered and supported by DICT
DICT ensures the security and regulatory compliance (e.g. licence conditions, protection of personal data under AVG/GDPR, etc.) of all software it offers.
DICT recommends working with software offered and supported by DICT, both cloud applications such as Microsoft 365, Sharepoint online, Teams, UFora, Successfactors, ... and applications hosted within UGent's data centres (e.g. OASIS, Gismo, Athena, ...).
Preferably use locally installed software on a professional device managed by DICT with Intune (see the available software on the Company Portal).
Please note that you are always responsible yourself for correct and safe use of software applications. For example, do not open questionable links or files sent to you in your mail client. This applies not only on your own devices but e.g. also on Athena. In this way, you reduce the risk of malware infections on your own and central IT infrastructure.
Install other software yourself
- Only install software you need on your laptop or desktop.
- Remove software and apps you never use.
- Be aware of the risks that unknown or cracked software can carry. So prefer not to install software you have downloaded from the internet without security guarantees.
- Always respect licence terms and certainly do not use fabricated or stolen licence codes.
Personal data and confidential info on cloud services
Do not store confidential information on cloud services with data storage outside the EEA (i.e. the EU, Liechtenstein, Norway and Iceland).
Personal data should also not be stored on cloud services with data storage outside the EEA, unless it has at least been pseudonymised in a secure and reliable manner. If pseudonymisation is not possible, the data must be securely encrypted beforehand. If the data is pseudonymised beforehand, the key file must not be stored on a cloud service with data storage outside the EEA, unless that key file has been securely encrypted beforehand.
For pseudonymisation in research projects, get advice from DOZA's data stewards if necessary and check out the following research tip.
For Microsoft 365 (OneDrive-for-Business included), UGent guarantees that the data is stored within the EU. Partly for this reason, DICT recommends Microsoft 365 for processing personal data and confidential information at UGent.