Information Security

Information Security

The work we do includes the management and reduction of cyber security risk, to ensure the protection, integrity and availability of digital services and data. This work helps to attain and support delivery of Aberdeen 2040 objectives.

The University of Aberdeen Information Security Policy and Information Security Supporting Policies support this purpose and provide guidance on the responsibilities, requirements, and principles which are necessary for us to achieve this.

The Conditions for using Information Technology Facilities and supporting summary video provide information on the responsibilities of the University community. These conditions are in place to ensure University digital services and computing facilities are used for their intended purposes in safe, lawful and equitable ways.  

Mandatory Information Security Awareness Training

Mandatory Information Security Awareness Training

You are our best line of defence.

Because cyber attacks come in many forms and are constantly evolving, it’s important that you keep up to date and that you know what to look out for.

To help you do this, we have launched online Information Security Awareness training using the MetaCompliance platform.


Featuring videos, audio scripts, and animations, and covering:

  • Email, Phishing and Internet
  • Passwords
  • Social Media
  • Remote Working

The training is mandatory for all staff and PGR students and is required to be completed annually.

You can work through the modules at your own pace over multiple sessions, picking up where you left off. And once you’ve completed the training, you can dip back in at any time to refresh your knowledge on a particular topic.









  • And when prompted enter your UoA username and password


Further help and advice

For help and advice contact IT Services via MyIT or email:

IT Security. We are all responsible.

Phishing Email – How to report

What is phishing?

Phishing emails are by far the most common initial entry point for cybercriminals seeking to carry out major attacks, including ransomware. They can also lead to significant personal impact, including financial loss.

Phishing is when criminals attempt to trick people into doing 'the wrong thing', such as clicking a link to a dodgy website.

Phishing can be conducted via a text message, social media, or by phone, but the term 'phishing' is mainly used to describe attacks that arrive by email.

Criminals send phishing emails to millions of people, asking for sensitive information (like bank details), or containing links to bad websites. Some phishing emails may contain viruses disguised as harmless attachments, which are activated when opened.

How do I spot a phishing email?

  • Many phishing attempts will try and create official-looking emails by including logos and graphics. Is the design (and quality) what you'd expect?
  • Does the email contain a veiled threat that asks you to act urgently? Be suspicious of words like 'send these details within 24 hours' or click here immediately'.
  • Look at the sender's name and email address. Does it sound legitimate, or is it trying to mimic someone you know?
  • Hover over any links and you can see the website it will take you to. Does it look legitimate?
  • If it sounds too good to be true, it probably is.


How do I report a phishing email?

If you receive a suspicious message, just look for the Report Phishing button.

How to report from the Outlook Client App

With the email selected just look for the Report Phishing button on your Outlook ribbon as shown below:

Report phishing button on Outlook ribbon in 'Protection' group.

How to report from Outlook Online (OWA)

Select the email and click the Report Phishing button found on the ribbon.

Here’s what to look for:

Report button under the Home tab after Delete and Archive.

How to report from the Outlook Mobile App

Open the message and expand the options menu (outlined below):

Tap the Report Phishing button. You may need to scroll down the menu before you see it. 

'Report phishing' button at bottom of menu between 'Send to OneNote' and 'More Add-Ins'.



Think strong for your account password! #ThreeRandomWords

Always use a strong and separate password for your UoA account.

When thinking of a strong password for your account the longer and more unusual it is the stronger it will be. But longer does not mean complicated. A good tip is to think #ThreeRandomWords mix in some numbers & special characters to make a strong and memorable password.

Do not use the same password across different accounts. If you are using the same password elsewhere, change it to keep all your accounts secure.


Quick Tips for IT Security

The University has drawn up a set of guidelines to help remind us all of the importance of information security in every aspect of our daily work.

  1. NEVER reveal your username and/or password – to anyone.
    • Not even the Service Desk will ask you to reveal your password.
  2. Passwords. Make them strong; keep them safe; never share them; and change them regularly.
  3. Always lock your device – or log off completely – whenever you leave it unattended for even a short period of time.
    • It only takes a second or two for someone to access your files.
  4. Always protect your user identity, at work and at home.
    • Don’t share access to your device with strangers.
    • Don’t store sensitive personal information, such as bank account numbers, on your device.
    • See our fact sheet for tips on how to spot email phishing scams
  5. Ensure your sensitive data is safe and suitably encrypted when mobile.
    • It is mandatory that you encrypt any USB flash drive and/or other portable device that contains sensitive University data.
    • See our guidance on how to encrypt your device (click on the Encryption tab above), or buy a pre-encrypted USB stick from the Service Desk.
  6. Always use electronic communication with care.
  7. Use anti-virus software and keep it up to date.
    • The University of Aberdeen’s anti-virus solution for University owned and managed Windows and Mac computers is Microsoft System Center Endpoint Protection (SCEP). Click on the Anti-virus software tab at the top of the page for more about SCEP.
    • We are unable to offer anti-virus support for personal/home PCs, laptops, Macs and MacBooks. Please ensure your personal computer is protected from viruses and malware by running anti-virus software.
  8. Be cautious when using the internet.
    • Never download files from an unknown source.
  9. Never cause offence or break the law when using University IT facilities.

For help, advice, and to report ALL IT incidents, contact IT Services on: or x3636.

IT Security. We are all responsible.


It is mandatory that you encrypt any USB flash drive and/or other portable device that contains sensitive University data.

If you don’t, you risk not only accidental loss, destruction or damage to data but also unauthorised disclosure of confidential, personal, or commercially valuable data.

What is encryption?

Encryption is an effective method of protecting data stored on portable devices such as USB flash drives and external hard drives.

Encryption encodes data so that it can only be read by someone who has the right encryption key (password) to decode it.

This means that if your device is lost or stolen, the information contained on it cannot be accessed by unauthorised users.

Do you need to use USB?

While encrypting your USB device can protect the data on it from being accessed by unauthorised users, it cannot protect the device itself from being lost, stolen, corrupted or physically damaged.

  • Never use a USB device as your only method of storing and backing up data.

Consider the secure alternatives

  • Network drives - your H: drive or shared departmental drive is the most secure location for your data – as an area of managed filestore it is fast, reliable and secure. The servers are backed up onto tape nightly and, in an emergency, these tapes can be used to restore files that have been lost or damaged.
  • VDI - provides secure, authenticated access to your H: drive and shared network drives when you are off campus via your personal device; all you need is an internet connection.
  • Direct Access - connects your University owned and managed Windows laptop directly to the University network whenever you are off campus and have an internet connection.
  • File Transfer service - one and a half times faster than email, this web-based service is a secure and simple way to send and receive files of up to 20GB in size. The service can be used by University of Aberdeen staff and students and colleagues outside the University making it the ideal solution for researchers who need to exchange files securely with external collaborators. Find out more...

  • Email - don't forget that email can provide a convenient method of transferring smaller files, up to 25MB including attachments.
Out of Office – Security Considerations

Outlook's Out of Office automatic reply feature is convenient. However, automatic replies can reveal a lot about us, and innocuous snippets of information can be a goldmine for cybercriminals engaging in phishing and social engineering.

What information can be revealed?

Cyber criminals and spam bots send out messages looking for a response. When an automatic reply is received, this alerts the sender that an address is active, immediately making it a more viable target.

The automatic reply can also reveal whether an email address belongs to an individual or is shared. If a signature is included, the cyber criminals may get phone numbers and physical addresses too.

We often include additional information within our automatic replies, such as the duration of our absence and whether we are on holiday or a business trip. Besides that, we may include alternative contact details, sometimes revealing information on work projects and internal team structures.

All this information can be used to craft highly targeted and plausible spear phishing campaigns.

What can you do to avoid the risk of attack?

  • Where possible, only enable internal automatic replies (Inside My Organization). 
  • If you do need to enable external automatic replies, create a separate message, and include as little information as you can.
  • If you are in communication with a few key external contacts or vendors, it is safer to warn them of your absence directly and ahead of time.
  • Avoid naming colleagues and providing their job titles and contact details. It is safer to include an appropriate shared mailbox, if available.
  • Do not include any details of your activities or whereabouts and, where possible, avoid including the duration of your absence.
  • Do not include your usual email footer in your automatic replies.