Tips to prevent data leaks
Data leaks occur when personal data about other people come in possession of other people who have no business with them, or when such data are lost and cannot be recovered. Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience, performance reviews and even pictures.
A data leak may occur in various circumstances, for example:
- a computer account gets compromised, which allows unauthorized persons to access data
- an electronic device is lost or stolen, after which an unauthorized person gets access to the data on the device
- data are accidentally shared, e.g. via a public webpage or document that is distributed to people who have no need to access the personal data
If you discover a potential data leak, immediately report it to firstname.lastname@example.org
When a data leak occurs, Nikhef should quickly take action to comply with the law and do whatever is possible and needed to control damage. So please immediately report the discovery of a potential data leak.
Fortunately, you can take some measures to prevent data leaks or to minimize the risk for one. Some measures are technical, other are behavioral and require awareness and a certain degree of discipline.
Preventing data leaks
The number 1 rule to prevent data leaks: what you don't store, you cannot leak! It is really as simple as that.
Storing sensitive data
- Collect and process only required information. Do not ask for data about people which is not strictly required.
- Remove data about persons when the data is not needed anymore. This is required in order to comply with the privacy laws! For example, after the end of an application procedure or when someone has left the institute.
- Periodically clean up old data. Remove files that are no longer needed or will not be used anymore. Again, it is a legal obligation. For example, clean up data about participants of a conference or workshop after the event is finished.
If you are sure you must collect or store personal and/or sensitive data, always report it to the Nikhef privacy team: email@example.com
Also take the following into account:
- Only store sensitive data on encrypted devices (see below). That applies to your laptop and telephone, but also backups on a USB disk or NAS device at home.
- Organize sensitive data, know what you store and where you keep it, so that you can easily clean up when the data are no longer needed.
Encrypt your device! How do I do that?
Encrypting your devices is a technical defense measure to prevent a data leak when the device is lost or stolen. This applies to laptops, desktop computers, mobile telephones, external devices like a USB drive or NAS.
Of course, when you encrypt your device, you must ensure that you keep the encryption key safe and that access to your device is protected with a good password, fingerprint, pin code or pattern. Do not share your code with others, also not your family members!
PLEASE SETUP YOUR DEVICE WITH DISK ENCRYPTION IF YOU HAVEN'T ALREADY DONE THAT!
Every modern operating system nowadays offers the possibility to do this and setting this up is very simple. See below for how to set this per operating system.
In Windows this functionality is called 'Bitlocker', here is described how you can easily set this yourself: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838
In macOS this functionality is called 'FileVault', here is described how you can easily set this yourself: macOS Filevault If you want more information about this topic, please read about it on the Apple website: https://support.apple.com/en-us/HT204837
For the Unix users among us there are various options for encrypting your hard drive, please check the following link: https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/
Accounts and passwords
- Do not use your Nikhef email address for private purposes.
- Choose strong passwords, certainly for work accounts or (private) banking accounts.
- Strong passwords are long (at least 10 characters), include various types of characters (lowercase and uppercase, numbers and special characters like !@#$%^&*()_+;':",./<?>.
- Password that can be guessed because they are based on names and dates are not strong. The longer the password, the more resilient against automated attacks!
- Do not use personal information or real words in your passwords.
Tip: Use a passphrase. For example: 'If I could, I'd be in New-Zealand 365 days a year'. For example, you can make this more unrecognisable by shortening it to: 'Iic,ibiN-Z365daY' and using this as a password. As mentioned earlier: make a sentence in which you use capital letters, punctuation and numbers interchangeably. Extra tip: you can also use 'spaces' in your password to make it even longer!
- Use different passwords for all accounts and all registrations with web sites.
- To remember all these different passwords, use a password manager like KeePass (https://keepass.info/), LastPass (https://lastpass.com/?lang=en_UK) or Bitwarden (https://bitwarden.com/).
- Do not store passwords in unencrypted files.
- Do not write down passwords on paper.
- Accounts and passwords are personal. Do not share them with others, also not with your colleagues or family members.
Take into account that when you travel to certain countries the information on laptops or telephones can be inspected or copied by security agencies, or that they can take control of the device. This may happen when traveling to China, Russia, Iran, Turkey (article in Dutch) and the United States.
- Bring an empty laptop and telephone, which you normally do not use. You can temporarily borrow a laptop via the Helpdesk.
- Make sure there is no sensitive information or passwords on the telephone or laptop when traveling to these countries. The Helpdesk laptops are completely re-installed after each use.
More extensive documentation in Dutch can be found on the site of the National Cyber Security Centre (NCSC).