Computer security at work

Why is this important?

If you don't take basic steps to protect your work computer, you put it and all the information on it at risk.  You can potentially compromise the operation of other computers on your organization's network, or even the functioning of the network as a whole.  For business, legal and ethical reasons, the University of Miami requires that you do your part to keep workplace computers secure.  The steps below are what is required to do that.

Your workplace computer may already have all of the technical protections listed below, but it is your responsibility to be sure that's the case.  Contact your department's IT liaison to be sure.  If your department doesn't have any designated IT support, contact the Help Desk.

Your personal information is at risk if you don't take similar steps for your own computer at home.  Unfortunately, we cannot provide Help Desk support for home systems,. However, UM provides some resources for at-home security, including free anti-virus software for personal use.

Physical security

Technical measures like login passwords, anti-virus are essential.  (More about those below.)  However, a secure physical space is the first and more important line of defense.

Is the place you keep your workplace computer secure enough to prevent theft or access to it while you are away?  While the Security Department provides coverage across the Medical center, it only takes seconds to steal a computer, particularly a portable device like a laptop or a PDA.  A computer should be secured like any other valuable possession when you are not present.

Human threats are not the only concern.  Computers can be compromised by environmental mishaps (e.g., water, coffee) or physical trauma.  Make sure  the physical location of your computer takes account of those risks as well.   

Not all workplace settings offer an electrical connection free of surges or other electrical fluctuations.  Consider a surge protector or uninterruptible power supply with surge protection features.  Contact the Procurement group for assistance with that purchase.

If you’re not sure about the most appropriate steps to take, you or your supervisor can contact the Security Department for a physical security audit of your workplace.  Call 305-243-6000 to arrange it.

Access passwords

The University's networks and shared information systems are protected in part by login credentials (user-IDs and passwords).  Access passwords are also an essential protection for personal computers in most circumstances.  Offices are usually open and shared spaces, so physical access to computers cannot be completely controlled.

To protect your computer, you should consider setting passwords for particularly sensitive applications resident on the computer (e.g., data analysis software), if the software provides that capability. 

Keep sensitive data on network files directories that are protected based on your rights to your Home Directory or your Department's rights to a File Share, rather than on the computer's hard drive.  (For reasons discussed further below, we do not recommend you keep information on your computer's hard drive.  Since these network directories are backed up nightly to tape, which is kept in a secure off-site location, you also assure the integrity and availability of your data.)

If you're not sure about how to pick a strong password, or protect it once you've picked it, see the guide to password safety.

While passwords will deter most casual intruders, they can often be bypassed by a determined, knowledgeable intruder given sufficient time and access to special tools.   (That's why physical security is essential.)

Prying eye protection

Because we deal with all facets of clinical, research, educational and administrative data here on the medical campus, it is important to do everything possible to minimize exposure of data to unauthorized individuals. 

If your computer is in a non-private area, where access cannot be completely controlled, consider using a monitor/screen privacy filter to minimize access to "prying eyes."  If you use a computer in a high-traffic or public area, where many staff/faculty/students reside, and regularly have access to highly confidential information, this is mandatory.

Anti-virus software

Up-to-date, properly configured anti-virus software is essential.  While we have server-side anti-virus software on our network computers, you still need it on the client side (your computer).

Norton-Symantec anti-virus software (SAV) is available free to all University employees and students, for both workplace and personal systems.  For workplace systems, we will install SAV at no charge.  Call the Help Desk to make arrangements for that.  (In most cases we can install it remotely, without any need to schedule a physical visit to your office.)

Alternatively, you can install it yourself -- by downloading it from the Software Downloads section of  this Web site.

Firewalls

Anti-virus products inspect files on your computer and in email.  Firewall software and hardware monitor communications between your computer and the outside world.  That is essential for any networked computer.

The medical campus network has its own firewalls and intrusion detection/prevention protections, so you do not  need it for your workplace computer.  However, firewalls are a recommended protection for home computer security, particularly for computers using always-on broadband cable or DSL connections.

Software updates

It is critical to keep software up to date, especially the operating system, anti-virus and anti-spyware, email and browser software.   The newest versions will contain fixes for discovered vulnerabilities.

Almost all anti-virus have automatic update features (including SAV).  Keeping the "signatures" (digital patterns) of malicious software detectors up-to-date is essential for these products to be effective.

Most operating systems and applications provide Web sites to scan your computer system for missing patches, hotfixes and service packs.

  • Mac users click here for assistance
  • Windows users click here for assistance

Medical Information Technology automatically applies fixes and updates to Windows PC's on the Medical domain.  Mac users must generally do this themselves or set the operating system to check periodically.

Supplemental software

When you download and install new software, you are taking a risk.  Malicious software, such as viruses and spyware, are commonly embedded in software from freeware sites and virtually unavoidable in peer-to-peer (P2P) content. 

Even software from what appears to be a reputable source has the potential to be damaging to system performance.  For that reason, downloading and installing unsupported, unapproved software is generally prohibited for medical campus workplace systems.

This includes screensavers, supplemental toolbars, weather and new tickers, email add-ons (e.g., "smiley face" plug-ins), and instant messaging (IM) clients.  If you can't find it in our Software Downloads section, assume it's not approved.

If you have any questions about whether a product you want to use is approved, contact our Help Desk for guidance.

Email behaviors

Unfortunately, neither physical protections nor technical measures like firewalls, anti-virus and anti-spyware can assure security on their own.  Your help is also critical.

For email, that means using caution when opening any attachments you receive, particularly from an unexpected or unknown source.  It also means using caution about clicking on links in email you receive.

We make every effort to filter out spam and other junk email, particularly of the data-extracting phishing variety.  But our filters are not perfect; some dangerous stuff still gets through.  Be vigilant.

For more detailed recommendations, see the guide to email safety and security.  We will also send out periodic advisory notices through email to keep you up to date on new threats.

Surfing behaviors

Caution is also necessary when you surf the Web.  As in the physical world, not all the virtual locations are equally safe to visit.

Be sure your Internet browser is configured with appropriate security settings.   If it's not, even just a few seconds at a Web site can result in installation of malicious software.

For more detailed recommendations, see the guide to web safety and security.

It's worth repeating here that computer activities on workplace systems should always be work-related -- and that any or all of your computer activities at work may be monitored and/or recorded.  Make sure you are familiar with University policies on proper computer usage.

Keep secure backups

Even if you take all these security steps, bad things can still happen.   Be prepared for the worst by making backup copies of critical data, and keeping those backup copies in a separate, secure location.  For example, use supplemental hard drivesCDs/DVDs, or flash drives to store critical, hard-to-replace data.  

As noted above, taking advantage of personal and shared network directories for critical files solves the backup problem.  We keep backups of all files on these directories for at least 90 days (some up to several years depending on the type of data being backed up).  And it generally solves the security problem, since these directories are password protected.

Why can't you rely on the computer's own hard drive?   Because hard drives fail more often than you might imagine, and when they do they generally fail in an instant.  Recovery of data from a "crashed" hard drive, if it is possible at all, is generally very expensive.  From an information security perspective, if your computer is compromised, all the data on the hard drive may be exposed as well.

Lock it down

Windows computers on the Medical domain are automatically set up to lock the screen after 20 minutes of inactivity. However, it is a good idea to lock your computer on your own, unless you can assure that no one else will have physical access to it.  Microsoft Windows users can do this in two simple steps:

  1. Press the "Ctrl", "Alt" and "Del" buttons in succession and hold them down.
  2. Click on the "Lock Computer" or "Log Off..." icons or just hit the "Enter" key on your keyboard

Clicking "Lock Computer" keeps you logged into the Medical campus network but locks down your computer until you unlock it with your password.  Clicking "Log Off..." logs you off the Medical Campus network.

Mac users, click the "Apple" icon in the top left of your screen and then choose "Log Out," or have a screen saver with a good password that only you know enabled on it.  Or, press and hold the "Shift", "Apple/Command" and "Q" keys in succession and hold them down.

Give it a rest

Turn your computer off when not in use for long periods.   Turn it off at the end of the day, before you leave work.

This is a good practice because you give your computer the opportunity to rest.   "Rest" means your computer's RAM memory is flushed, the hard drive and other internal components get an opportunity to cool off and any updates can then be applied the next time you reboot.

It also helps lower the Medical Center's electric bill.

Report problems

If you believe that your computer or any data on it has been compromised, your should make a information security incident report.   That is required by University policy for all data on our systems, and legally required for health, education, financial and any other kind of record containing identifiable personal information.

If your computer has compromised, it may mean one or more of your user-IDs and passwords has been compromised.  So other systems and data may be at risk.

Reporting is in your interest as well as ours.  Actions taken by someone who has discovered your user-ID and password may be attributed to you, and you may have a difficult time proving otherwise if you didn't report it.

Learn more

Cyber Security Tips (US-CERT)
A broad range of short documents on PC security topics

Protecting Your Computer (UM Privacy Project)
Click-thru content, at a basic level, on all aspects of protecting your PC