Using our systems and keeping our information safe
Keeping the bad guys from getting in and our information from getting out
What it's all about
Digital technology is the nervous system of our company. Without it, none of us would be able to do our jobs properly and our business would grind to a halt.
However, we know all too well how people, companies and government agencies are routinely targeted by cyber criminals, those who may disagree with our customers policies, or even a colleague who may have a grudge against Serco and seek to steal information, extort money and paralyse key operations.
Protecting our systems from attack and keeping our information safe is up to all of us. Which is why we always remain mindful of the risks and follow the rules precisely.
Serco has robust systems, but every one of us has a vital role to play in ensuring our information is fully protected - by being alert to the threat and following IT security rules carefully at all times.
We need to take special care when emailing personal or sensitive information and when storing or archiving this information. We must also be sure to classify our information accurately and dispose of it properly.
We also need to be equally careful when accessing non-Serco systems for personal purposes. Where permitted on your contract, you may use the internet browser on Serco smartphones, tablets or computers for personal matters as long as the level of use is reasonable and causes no harm.
Contracts, customers, Business Units or Divisions may have additional requirements for acceptable use of systems. We all need to be aware if these apply where we work and follow them.
Serco reserves the right to actively monitor, intercept and review our activities when using Serco IT resources and communication systems to ensure what we do is authorised and appropriate.
What we all need to know and do
-
We always comply with Serco’s IT security requirements taking particular care with login credentials, tokens and passwords.
-
We never click on e-mails or attachments if we do not recognise the sender or if the email looks suspicious, as they may contain malware.
-
We never share our Serco or customer IT login details with others. If we think they have been compromised, we change them and report it to our manager or IT department immediately.
-
We take responsibility for the content of all text, audio and images that we send using Serco’s email and other messaging services.
-
We use Serco’s standard disclaimer on all emails sent from Serco’s email systems.
-
We don’t send anonymous emails that might be used to create or forward ‘chain letters’, ‘Ponzi’ or other ‘pyramid’ schemes.
-
We always look out for and report suspicious emails and don’t reply or forward spam emails or messages.
-
We don’t use our Serco email to register for any online service (i.e. a website that required registration to create an account) unless the use of the service is business related.
-
We never use personal email accounts for work communications, unless we have authorisation from our manager.
-
We always lock our computer and mobile device when leaving it unattended.
- When we travel in a vehicle we store our PCs and other information systems out of site, ensure they are locked in the boot when leaving the vehicle and never leave them in the vehicle overnight.
-
We never leave important documents or printed information lying around.
-
Unless instructed to do so by Serco IT, we never modify or disable the security or other configuration settings downloaded by Serco to our company IT equipment.
-
We never use USB drives received from unknown third-parties as they may contain malware. We only use approved Serco encrypted removable media, and then only when specifically authorised.
-
When we use a portable computer, laptop, tablet, mobile device or removable media outside secure premises, we must make sure it is properly encrypted. If we are in any doubt, we consult our IT Department.
-
We maintain the correct level of privacy for our information and ensure it is classified in line with Serco’s standards, or with our customer’s standards where this has been agreed.
-
If we use our own device we only transfer and store Serco information if it is enrolled in either an approved Serco Mobile Device Management (MDM) service or an approved Mobile Application Management (MAM) service, which can be reviewed by Serco under special circumstances (such as a formal investigation)
-
We never intentionally disrupt network communications, breach security codes, introduce viruses or malware or attempt to crack or capture passwords or decode encrypted information.
-
If we lose our laptop, tablet, mobile phones, PDAs, removable media devices (i.e. USB stick, CD, memory card etc.), document or any paperwork that contains information with a Classification of ‘Serco Restricted and Sensitive’, we report it to our local or regional service desk, notify our manager and record it as a security incident on Assure.
-
We return all Serco information systems and equipment and delete or move Serco information to an appropriate Serco storage location before we leave Serco.
Personal Use
-
Serco logs and monitors use of its IT equipment and any equipment which is connected via the Serco network. We are welcome to use Serco’s systems for limited personal use, provided that:
-
our usage is occasional and brief
-
it doesn’t increase risks to Serco systems and information
-
it doesn’t detract from our performance or that of our colleagues
- it doesn’t abuse or harass the recipient
-
it doesn’t harm Serco’s reputation or interfere with business
-
we do not access unsuitable Internet sites
-
we do not feature the Serco name and brand in personal e-mails or social media posts
-
-
We never access, store, send or post pornography or other indecent or offensive material when using Serco IT and communication facilities. Likewise, we never connect to online gambling sites or conduct any kind of unlawful activity.
- We never use a Serco telephone to make calls or send text to premium rate numbers, access subscription services or applications, unless for business reasons.
-
When making personal use of Serco systems, we never access streaming or similar sites that generate high network traffic or incur additional data costs, for example through playing large video files or downloading imagery.
-
We never connect non-Serco or private IT equipment to Serco or customer networks without our IT department’s permission.
-
We never conduct personal business activities using Serco IT or communication facilities, or support others in doing this.
-
We never copy or store personal files or personal music, videos, etc. onto Serco-provided PCs.
Storybox
Part 1: The Victim
It only takes a moment!
I’d been out with friends, got back home, went to bed tired. As I was falling asleep I checked my phone and saw I had an email from a shop I’d just bought something from. I wanted to print out the invoice, so I forwarded it to my work email and thought I’d do it there tomorrow. I fell asleep.
Next day I went to the office and started my morning routine of checking emails and writing my to do list. I remembered the invoice email, it asked me to confirm my username and password and then it would give me the invoice. I was in a hurry. Didn’t think. That was my mistake and I’ve regretted it every day since.
Once they had that information they hacked away at my life. They wiped my bank account, ordered a variety of crazy things using my credit card and racked up debt I could never repay. The worst thing was they took data from the company and held it to ransom.
Of course the company took control of things from there, the police and other officials are involved, but it all started on my computer and I was responsible. The legal cases are ongoing. It’s terrifying.
That fear has changed my life. I can’t go into the office and have been told not to work. I don’t go anywhere near technology now. I can’t bear the thought of making the same mistake again. I’ve cut myself off from my friends and I don’t go out of the house. My partner got fed up with me being down and left. My family try to support me, but even so they’re miles away and I feel isolated, alone and scared.
I don’t know how this will end or when. I’m destroyed.
Part 2: The Hacker
Whenever I start these things I always have the end in mind. Yeah I need money, let’s see how far we can go, but it’s also fun to get other stuff and see where it takes me.
I saw her drop some rubbish off outside the house and saw she’d had a package. It had the shop, her home address and even her home email address. I had everything I needed.
First I sent the email with the malware in it. She took the bait. I thought she might, she’d been out the night before, a few drinks, you know - didn’t think. Hah, I’m in. Imagine my surprise when I realised she wasn’t on her home computer and she’d opened the mail at work. Wow.
It took a while to sift through everything but I found a trail to her bank. Easy pickings, so I took all that. Her credit cards - yup, got them too and had fun choosing crazy things to buy. Quite a party I had.
Then the big one. Company data and the greatest gift, ‘customer information’. Now that is worth something. So I sent a ransom note and waited. There was a delay. That’s not usually a good sign.
They got the police involved. They haven’t got me yet and I’ve been doing this for years, so yeah, I’m not worried.
I don’t really think about the victim. Their fault isn’t it? Stupid to be so careless. That’s what I hope for, that someone will lose concentration.
It only takes a moment!
We should never use personal email accounts for work communications, unless we have authorisation from our manager.
We should never share our Serco or customer IT login details with others.
The missing email
You had to finish an important piece of work, so you sent some important confidential documents to your personal email so you could work at home, even though you knew that was against what mycode says. Now you can’t find the email. You’ve realised you sent it to the wrong email address. You can contact your friend to forward it to your home email when you get home.
The private file
They’ve been sorting out some personal files so that some of the staff can benefit from medical support. It’s lunchtime when you get into the office and everyone’s gone to celebrate a colleague’s birthday. She’s been through a tough time with cancer. Now you see that she’s left some of those personal files open on her desk.
The password
A colleague is away on a long vacation when an emergency comes up. It’s got to be sorted out straight away, but to do that you need to consult some documents stored on his computer. Someone says they’re pretty sure they know what the password is, and you’ve tried again and again to contact your colleague.
The improvement
After a lot of thinking you and your team have come up with a much better way of doing something. It’s a real improvement, and it will benefit Serco and give the company an edge. You’ve created two documents - one for external publication that does not give away any confidential details, and the other that goes into the full specification so it can be patented.
You’re very proud of what’s been done, and are really keen to show a contact you have at a local university. So you email them. Then realise you’ve attached the wrong document, you’d sent the version with the confidential details.
I run a few training sessions a year in my role in IT. We have to keep people up to date with the latest scams. So our Think Privacy training is crucial to guard against phishing or giving away credentials.
I sent out a fake email today. Just to see if people were being alert to these things. But no. They weren’t paying attention and bang, one person clicked and I’m in. I can see all of their emails, all of their private documents and our military drawings and technology information is mine to view at my leisure.
Today they’re lucky. It’s only me. Tomorrow it might not be. Phishing is getting more clever. Yes you’re only human, but there’s always something new coming. Watch out!
We should never click on e-mails or attachments if we do not recognise the sender or if the email looks suspicious, as they may contain malware.
We had this manager - Nia. She was great. Smart, supportive, a really good team leader. She used to send everyone emails with news, updates, messages of thanks, little articles she’d seen - that kind of thing.
So when an email from her arrived with a PDF that contained a link inviting you to follow, I just thought, ‘Nia’s found another thing to make us smile!’
I followed the link - it looked like a new Serco scheme asking for volunteers to help the local community - just what Nia would have sent.
So when it asked me for my credentials, I entered them.
Then Walter from IT was suddenly calling for everyone’s attention. ‘This morning’s email from Nia was a fake!’ he said. He was right - there was a typo in her name. I didn’t even think to look.
‘Has anyone entered their log-in information?’ Walter asked.
Everyone else said no, of course not. Except me.
That day was just awful. We had to declare a critical incident and shut down the whole of our network. All the way through it all I could think of what damage I might have done. Nia came round, tried to say that it was her fault - but we both knew it wasn’t.
Rule number 1 - you never give anyone your log-in details. And I’d broken it.
The worst thing was, Nia was disciplined for sending us all emails with links to external sites. I think she got quite ill after that. She was off work for a bit. A few months later we heard that she’d moved on. I often wonder how she is.
We should never share our Serco or customer IT login details with others.
I was travelling home. My train was delayed. By the time it arrived it was packed - standing room only.
Like everyone I was using my mobile. Watched a couple of things on YouTube, did a bit of Candy Crush, then checked my emails. There was this offer for one of the online stores I used. 20% off - ending at midnight. So yeah, I thought - definitely!
The thing is, I did actually think, is it a scam? I even tried to look at the address - but it’s not so easy to hover over a link when you’re on your mobile standing in the aisle of a moving train.
It was a scam. I don’t know how they do it, but they stole my identity, started using it for all sorts of stuff. It was a nightmare. It went on and on - really messed with my head. And of course at work I was a security risk too.
If I’d just waited till I was able to look at the offer properly - phones aren’t the best place to do that. But it was such a good deal - and only available till midnight. The security guys told me that that’s one of the things the criminals do - make you feel, ‘I’ve got to this this now, before I miss the opportunity’.
We should never click on e-mails or attachments if we do not recognise the sender or if the email looks suspicious, as they may contain malware.