IT Security Recommendations
IT-SERVICES provides advice for the responsible handling with IT resources. Please consider our IT directives and policies.
IT security is boring? So are insurances! But just as long as they are not needed. There is no difference if someone cracks your safe or steals your notebook. In both cases, confidential and important data / documents are lost. So make your digital environment safer!
Please mind the following recommendations for the responsible handling with IT resources – at WU as well as at home. Furthermore, when working / studying at WU it is important to consider the current IT directives and policies.
Mind your login data
Your digital life can easily be accessed with a username and a password. Everyone that knows your login data gains immediate access to your personal data.
Why is this important?
Responsible handling with login data does not only protect your computer and your data, it also protects sensitive data of the university administration, i.e. rights of employees and students.
What can I do?
Always mind the following points when using your WU login data.
Login data consist of a username and an account password. You must NEVER pass them on to a third party.
NEVER use your WU login data on potentially corrupted devices such as on hotel devices or in Internet cafés.
Use a VPN connection if you access WU services and your device is connected to an unsecured or public network (e.g. WLAN).
Always log out AND take your USB flash drive after working on public computers (e.g. teacher’s PCs in teaching rooms).
Do not use your WU account password for logging in to other systems (e.g. amazon, eBay, Wr. Linien, google, gmx etc.)
Choose complex passwords which consist of letters, numbers and symbols.
Change your passwords regularly.
NEVER write down your password on the computer or leave notes with it anywhere nearby the computer.
NEVER save passwords when logging in, particularly not on the browser.
Use WU login data ONLY for WU web-services.
NEVER transmit WU login data via unencrypted internet connections.
Only use websites starting with “https”.
Do not use apps which request WU login data but are not official apps of WU.
Do not answer emails which ask you - for whatever reason - to enter WU login data on linked websites.
Use the Have I been Pwned? website to make sure your account information is still secure.
The website checks whether, for example, personal data from your email account has been made public in a cyber attack.
In case of further questions, please send an email to email@example.com.
Choose secure passwords
Your password is the most important key to digital systems. So choose secure passwords and change them regularly.
Why is this important?
If your password is easy to guess or is related to your personal life, third parties can easily access your digital life. In addition, stolen passwords can be misused for various purposes right away or later on – this is for as long as they have not been changed.
What can I do?
Change your password regularly.
(we recommend: once a year or immediately, however, when becoming known or if possibly known). Change passwords for your WU account in the Controlpanel application.
Use the Have I been Pwned? website to check whether your chosen password is secure or has already been made public by a cyber attack.
Never share passwords!
Passwords for sensitive applications must be different from passwords for trivial applications. Never use your WU account password to log in to other services (e.g. Amazon, eBay, Google, Wiener Linien, GMX).
Use a trusted password manager to store a separate password for each online service.
Recommendations for choosing strong passwords
A strong password consists of at least 12 characters and contains letters, numbers, and special characters. It does not appear in any dictionary or encyclopedia and uses upper and lower case letters.
Memorize your password. Do not write it down!
Hint 1: Think of a sentence or phrase. Take the first letter from each word. Replace one or more letters with a number or a special character. For example: “A lot of new students start their studies at WU in the winter semester :)” By replacing "new" with the number 9 the password reads as “alo9sstsaWitws:)”.
Hint 2: Use a short sentence and replace the spaces between words with numbers or special characters in any order. However, keep in mind the specifications regarding the maximum possible password length (e.g. in the Controlpanel application).
names or character strings that other people would associate with you.
(Examples: your date of birth, your phone number; names (or parts of it) of relatives, friends or pets).
character strings that repeat themselves several times
obvious character strings such as abcdefgh, qwerty, 123456, etc.
Mind your mobile devices
Your mobile devices probably know more about you than your friends. Calendar entries, emails, photos, chat messages and other personal or professional data should always remain in the right hands.
Why is this important?
Always mind your mobile devices because they can easily be stolen or lost. Apart from losing your data, they can also be misused by third parties.
What can I do?
Set up a personal access code
The code or the password must always be entered before using the device. Some devices support biometric identification (fingerprints) which makes the handling easier. Avoid number combination that can easily be guessed such as 0000, 12345, your date of birth, your post code, etc. The websites of the producers offer respective instructions:
Use the automatic lock function
The waiting period should be as short as possible, e.g. one or two minutes on the smartphone. Lock activation can usually be done manually when turning on and off the device.
Save your data regularly
for example on another device (laptop, external hard disk, etc.) Install any necessary software on your private device. Then delete data that you do not use from your mobile device.
Only save the most important information on your mobile device
Consider which data and apps you really need (e.g. Facebook, private emails, apps). Only save passwords for services which you frequently access. As regards other services, enter your password manually if requested.
In case of loss: Use location and deletion services
A lot of producers of devices offer these services. In order to make use of these services, you must register your device first – and the device has to be in your possession.
Android device-managers locate and lock mobile devices as well as delete saved data. Information provided by the manufacturer.
Microsoft offers a reset protection for Windows Phones. Information provided by the manufacturer
Always store confidential data encrypted on your device.
In hotels, put the devices in the room safe when you leave – even if it is only for a short time.
Never leave your mobile devices in your car or at any places where they can easily be seen (e.g. on a table in public cafés).
Employees can find additional advice for the handling with employee cell phones on the intranet.
Carefully check the messages you receive
Messages that are unexpected and claim that you have to take some urgent action or messages designed to pique your curiosity may be hidden attacks on your privacy or data. In the case of suspicious emails, ignore all the links and attachments the messages may contain. If necessary, double-check the origin of the message by contacting the alleged sender directly through other channels. If you receive unusual phone calls, say only as much as absolutely necessary and do not give away any information. Be sure to keep access data and information about business processes and your private life secret.
PLEASE NOTE: WU employees can browse through and verify the authenticity of mailings sent out by IT-SERVICES on the intranet: https://swa.wu.ac.at/it-services-aussendungen.
Why is this important?
In order to obtain sensitive or personal data, attackers are increasingly trying to combine several methods and media (e.g. email, text messages, social networks, phone calls, etc.). A single click on a manipulated link or attachment in a message can be enough to infect the entire IT network with malware. Networks are playing a very important role today, and so many attacks are also targeted at mobile devices (e.g. through instant messaging services such as WhatsApp or SMS text messages). Social engineering methods(*) are often used to prepare attacks on a larger scale.
(*) Using interpersonal influence to achieve dishonest purposes
What can I do?
Stay informed about current threats on the internet – for example at
In addition, take the following general precautions in all forms of communication. Please also note the recommendations on how to keep your login data safe and how to choose secure passwords provided on this page.
WU employees and students report unusual emails directly to firstname.lastname@example.org. Please send the email in question as attatchment.
Please report incidents and shortcomings or deficiencies regarding IT and information security to email@example.com as soon as possible.
Keep all emails and other data after reporting an incident. Do not delete anything! Switch off the affected devices immediately and leave them deactivated.
Stay informed about current threats and train your ability to spot malicious communication (see paragraph on self-tests below).
In case of unusual and unexpected requests, make sure to keep your WU login data (username, account, and Wi-Fi password) to yourself. Also keep internal university procedures and technical terms secret.
In web forms, only provide the minimum of information that is absolutely necessary (e.g. don’t provide your birthday, postal address, phone number, etc., if these data are not absolutely required).
Have a healthy distrust of offers or promises that seem too good to be true.
Resist persuasion. Do not let anyone persuade you to do something you would never do otherwise.
Enter login data only via encrypted internet connections (https://...). If you’re uncertain, view the certificate used on the website (click on the lock symbol in the browser address bar).
Store password notes only in locked drawers or cabinets, if you need them at all.
Use a different password or email address for each online account.
Security measures for oral and written communications
(e.g. email, SMS text messages, WhatsApp messages, phone calls, etc.)
Ignore requests to act quickly
Fraudsters hope that you will miss the tell-tale signs of a fake message if you act hastily.
Check links carefully
- If necessary, manually type the stated web addresses into your browser using the keyboard (protection against punycode).
- Hover the mouse pointer over linked elements for some time to view the destination address to which the link is pointing. If the destination address seems strange to you, delete the message.
Avoid opening suspicious attachments
Common document formats (e.g. PDF, Word, Excel, PowerPoint) as well as ZIP or image files can transport malicious code. In particular, delete encrypted file attachments that require a given password when opened!
Check the email for plausibility:
- Do you know the sender?
- Does the wording fit the sender?
- Do you expect this kind of message or file from this sender?
- Is it possible that malware is hidden in the (possibly password-protected) file attachment?
Check the information provided
- If you know the sender, call them and ask about the purpose of the message.
- If you’ve received a message from a company, go to the alleged sender’s home page and look for the information sent. If necessary, contact a service center or the helpdesk by phone to verify if the message is authentic.
Delete any messages that seem suspicious to you
Also remove them from your trash folder.
Insist on written (letter) form or a personal appointment for requests that involve confidential information.
How good are you at spotting fake information?
|Can you spot the fake?||Informative quiz about mobile phishing websites with amazing fakes. Blog entry in English from Wandera, a provider of mobile security solutions.|
|Phishing IQ Test||Do you recognize the trustworthy messages among the displayed emails? You will find hints at the end of this quiz from SonicWall (provider of network security solutions).|
|Phishing test||Explain what makes you think that the displayed email appears to be a phishing attempt. You will receive direct feedback on each item. A test by the Belgian initiative safeontheweb.be.|
|Illustrative explanations||Examples of phishing strategies that use WhatsApp, game websites, and contact integration with Apple devices. Blog entry from Wandera, a mobile security solutions provider.|