Skip to toolbar

Education & Training

Office of Information Security

​Protect Your Devices, Your Data, and Your Penn State Account

Learn about steps you can take to protect yourself and the University from phishing attacks, viruses, spyware, ransomware, identity theft, theft of data, denial of service attacks, and other forms of cyberattack.


  • Protect your personal devices from malicious software that can be used to delete or prevent you from accessing files, lock you out of your device, modify the behavior of existing software, redirect you to alternate websites, disrupt a web service, and/or gain access to your credentials, payment information, intellectual property or other sensitive information.
  • Protect your Penn State Account from unauthorized access that can be used to steal your personal and financial information, to further target other members of the Penn State community, and to access Penn State systems.
  • Protect Penn State Systems and Data. Avoid being the entry point that exposes Penn State Systems to unauthorized access and attack that could block access to University systems, steal sensitive data, disrupt learning and research activities, impact the University’s reputation, and cost it substantial sums of money.
what can I access


Click each topic below to expand it.

don't modify this so accordion stays closed

1. Install or enable security software on your personal devices

Install anti-virus or internet security software on your smartphone, tablet, laptop and other internet connected devices to detect and protect against malicious software. Visit the Anti-Virus Software page on this website to learn more.

To realize the full benefit of your security software:

  • Keep it up to date by installing the latest update or release as soon as becomes available.
  • Review the settings on your security software to confirm that you’ve enabled all of the recommended features. For example, make sure you’ve enabled automatic updates to the database your security software uses to identify threats.
  • If you receive a notification that your virus protection is out of date, don’t ignore it. Follow up to identify and address the reason

2. Keep your operating system, internet browser, and other software up to date

Software updates often include patches that address newly discovered vulnerabilities. Install the latest version and any security updates to your operating system (Windows, macOS, iOS, Android or Linux), your web browser (Chrome, FireFox, Edge, Safari, Opera, etc.), Adobe Flash, Java, and other software as soon as they become available.

Take advantage of Duo Security features that notify you when you don’t have the latest update. See knowledge articles Software Update Notification – Your Computer Software is Out of Date and Duo Security Checkup for more information.

Note: If you’re unable to update your operating system or other software because you’re using an older device, consider replacing it with a newer one. Think of it this way: An automobile manufactured in 2010 cannot be retrofitted with all of the safety features available today, regardless of how well it’s maintained. Likewise, an older version of an operating system is generally not as secure as the current version, even if you’ve installed the most recent security patches available for the older version. The most recent version typically includes security enhancements not available in older versions.

3. Take these precautions when emailing and texting

Don’t be hasty in responding to an official sounding email that instructs you to take immediate action. Phishing attacks often create a sense of urgency by telling you there’s a problem you must address as soon as possible by clicking a link or sending your password, social security number, or other confidential information.

When you receive a text or email that contains a link or attachment, don’t click, open, or download it unless you know and trust the sender – and are sure the email actually came from them. If in doubt, contact them independently to confirm that the email came from them.

If the email appears to come from a government agency, financial institution or other official source, don’t click the link provided in the email.  Instead, do an internet search to find their official website and use the contact information found there.

Visit the Phishing page on this website for a examples of recent phishing emails, to learn how to identify suspicious emails, and what to do if you should receive one.

NEVER include confidential information such as your social security number, password, or financial accounts in an email or text, even if you’re responding to a request for that information. Such requests are a clear indication of phishing.

4. Take these precautions when browsing the web

Before you log into a website or enter confidential information such as your social security number, credit card, or bank account information, check the address (URL) of the webpage to confirm that it starts with https://.   The “s” indicates that the webpage encrypts (secures) data transmitted between your device and their server.

Never ignore or override warning messages from your web browser or security software that indicate that a website is unsafe.

Be careful what you click on.  Be alert for clues that may indicate that the site you’re visiting is not trustworthy, or that you’ve been redirected from the site you intended to visit, to a site that attempts to look like it.  If something seems fishy, check the address (URL) in the address bar of your browser to confirm that it’s what you would expect.

5. Take these precautions before downloading apps and content

Before downloading software or content from the internet, search the web for independent reviews to confirm that it has a good reputation and track record.

Download mobile apps from official sites such as Google Play, the App Store, iTunes, etc.

Download apps to your laptop or desktop directly from the software vendor’s site rather than a third party.

6. Take these precautions when using Wi-Fi

Cybercriminals can easily take advantage of unsecured Wi-Fi connections to eavesdrop on your online activities and intercept the information you enter, including login IDs and passwords, credit card numbers, etc.

Take the following measures to protect yourself:

  • Make sure your home Wi-Fi network is secure.  Learn how by visiting Secure your own home Wi-Fi network.
  • Confirm that your device is not set to automatically connect to any available Wi-Fi network.
  • Only enable file sharing over Wi-Fi when you need it and only if you’re on a trusted Wi-Fi network.
  • If you must use free public Wi-Fi (for example, in a coffee shop, hotel, or airport):
    • Be sure you know the name of the Wi-Fi network offered by that location, so you don’t connect to a hotspot with a legitimate-sounding name that was set up by a hacker.
    • Don’t assume that free Wi-Fi is secure just because you need a password to access it.
    • Don’t visit any website that requires you to log in (e.g., social media, a bank account, or a Penn State website that requires login) or enter confidential information such as a credit card number unless you first log into a virtual private network (VPN).  See knowledge article Install and Run VPN to learn how to connect to the Penn State VPN.
      Note that some spyware can capture your password even when you connect to a website you’ve set to automatically log in to without typing in your ID and password!
    • If in doubt, use a cellular data connection rather than Wi-Fi.

7. Physically secure your device

Set your smartphone, tablet, laptop, or other device to lock after a certain period of inactivity, and require a password, fingerprint or other means to unlock it.

Keep your device with you. Never leave it unattended, even if it’s in a locked car or hotel room.

8. Back up your data regularly

Back up the data on your smartphone, laptop and other devices to the cloud or to an external device.

This is one of the most important things you can do to ensure you’re able to recover should your device be infected with malicious software such as a virus, spyware, or malware.

Visit the Data Backups page on the security website to learn more.

9. Enable your operating system firewall

Consider enabling the firewall that’s built-in to your operating system if you haven’t already.

Visit the Firewall page on this website to learn more.

10. Sign up to use two-factor authentication for your non-PSU accounts

Many websites, including Google and most online banking sites, offer the opportunity to enable two-factor authentication (2FA) for your account.  Consider taking advantage of 2FA where it’s available.

11. Encrypt your data

Do some research to find out what encryption features are built into or available for your specific operating system and/or device.

For other devices, use a whole disk encryption program such as Bitlocker (Windows), FileVault (macOS), or GnuPG (Linux) to automatically encrypt your files when they’re not in use.

12. Enable Bluetooth only when you need it

Hackers and data thieves can use Bluetooth connections to “eavesdrop” on your device and access your sensitive data.

13. Install Locator and Remote Access software on your laptop or mobile device

Install or enable software that allows you to locate and control your mobile device remotely so that you can locate your device and even delete sensitive data on it in the event that it is lost or stolen.

14. Wipe your personal device of all data before selling it

Search the web for tips on how to do this effectively, as deleted files can often still be recovered.

what can I access


If you’re a student, anyone who gains access to your account may redirect tuition reimbursement to their own account, gain access to information such as your social security number, credit card, or bank account numbers, and access confidential information such as grades and health records. If you’re a faculty or staff member, anyone who gains access to your account gains access to all of their information in Workday.

don't modify this so accordion stays closed

1. Use a strong password

Using a strong password is one of the most important things you can do to help keep personal and Penn State information secure.  When you change or reset the password for your Penn State account, the Penn State Account Management Change Password page lists some basic requirements designed to help ensure that you choose a strong password.  In addition to those basic requirements, use the following guidelines to choose a password that is difficult for a person or computer program to determine:

  • Choose a phrase that’s unique and familiar just to you.
  • Go for length.  Longer passwords are more difficult to hack.
  • Don’t base your password on a common phrase (e.g., “1justDOit!”) or personal information such as the names of your pets or children, wedding anniversary, or favorite sports team.
  • Don’t base your password on a single dictionary word.
  • Combine the first part of each word in a phrase, mixing at least 15 numbers, characters, and letters.  For example, “I love to play badminton” could become “ILuv2PlayB@dm1nt()n.”

2. Don't share your password with anyone.

Penn State policy prohibits sharing the password for your Penn State account with anyone – even a parent, spouse, roommate, or friend.

Note that Penn State will never ask you for your password.

3. Take care not to inadvertently share your password.

Never write it down, disclose it in an email, or save it anywhere on your phone, laptop, or other device – unless it’s to store it in a password manager. 

4. Use a different password for each account you own.

Cyberthieves often take advantage of the fact that many people use the same password for multiple websites and systems.  When that’s the case, all they need is the password to one of your accounts, and they’re able to access all of them.

5. Consider using password management software.

Password management applications allow you to securely create, store, and retrieve strong device and website credentials.  Using a password manager makes it easier to have a strong, unique password for each of your devices and accounts because it eliminates the need to remember each one.

Research your options by doing a search on “best password manager”.  Review articles such as this one in Consumer Reports for recommendations.

6. Be careful not to approve a fraudulent request for two-factor authentication.

It’s easy to get in the habit of approving a Duo Push, a phone call, or whatever other method of two-factor authentication you use without thinking. However, It’s critical that you don’t automatically approve any request for authentication you receive if you’re not in the process of logging in – in case the request is the result of a hacker attempting to access your account.  If it is, and you approve the request, you enable the hacker to log in to your account, defeating the purpose of two-factor authentication. See knowledge article I got a Request to Authenticate When I Wasn’t Trying to Log In to learn to identify fraudulent requests.

7. Whenever possible, use the Duo Push method of two-factor authentication.

Duo Push is the most secure method of Duo two-factor authentication.

8. Protect your personal devices from malware

Malicious software can be used to steal your user ID and password.  Protect your devices by following the recommendations in the previous section of this page, Protect your devices and data.

what can I access


don't modify this so accordion stays closed

1. Log into the Penn State VPN before accessing University resources from a remote location.

If you need to log into a Penn State resource from off-campus, use the Penn State VPN to establish a secure connection to the Penn State network when any of the following apply:

  • You’re accessing a secure enclave and/or data classified as Level 3 (High) or Level 4 (Restricted) according to the Information Classification Decision Tool.
  • You need to log in to a Penn State resource using home Wi-Fi.
  • You need to log in to a Penn State resource using public Wi-Fi.  Note that it’s best to avoid using public Wi-FI altogether, but if you must, always connect to the Penn State VPN before logging in to Penn State resources.

See knowledge article Install the Virtual Private Network (VPN) on an Operating System or Device to learn how.

2. Don't store or sync Penn State data to your personal device.

Penn State policy prohibits storing Penn State data on a personal device, as your personal device may not have all of the security measures in place on a University-owned device. 

Store files in a Penn State protected resource such as OneDrive, G Suite, or Microsoft Teams instead.

Establish a secure connection by logging in to the Penn State VPN before logging in to the application where the files are stored.

3. When accessing, storing, or sharing confidential data, use the required security controls.

Familiarize yourself with level of confidentiality and data protection requirements associated with different types of data by referring to the Information Classification Decision Tool.

Do not use a personal device to access Level 3 or Level 4 data.  If you need to remotely access Level 3 or Level 4 data from a University-owned device, consult your supervisor and email to confirm that the appropriate security controls are in place before accessing the data.

4. Protect your personal devices and Penn State account

A security breach that affects your personal device or Penn State account may be the point of entry a cybercriminal uses to gain access to critical Penn State Systems.  Be sure to review and implement the recommendations listed in the previous sections on this page.

5. Take appropriate measures to protect Intellectual Property (IP)

Learn what IP is, and where to find Penn State policies that govern it by visiting Protecting Intellectual Property on this website.

If you work on a project funded by a government or industry partner, make sure you’re aware of and honor any contractual agreements regarding sharing of project related data.

Don’t share IP externally unless absolutely necessary. If you do need to share it, work with your IT staff to ensure that the data remains secure.  Refer to Penn State’s Encryption Standard to learn how to securely transmit data outside of the PSU network.

6. Use Penn State approved video conferencing applications.

These include Zoom, which provides a number of collaboration tools, and Microsoft Teams, which is offered to Penn State students at no cost as part of the Office 365 suite of applications.

7. Log out of WebAccess and close all browser windows when you've finished accessing Penn State resources.

Cyber criminals may be able to exploit information the browser temporarily stores in cookies and other temporary files.  Logging out of WebAccess and closing all browser windows is the best way to ensure that such information is cleared.