By Christina Pomianek-Smith
Your research data and intellectual property are valuable, not only in the pursuit of knowledge for the betterment of society but also to cybercriminals who seek to steal it or hold it for ransom. According to the Federal Bureau of Investigation , intellectual property theft is a growing threat in the digital era, and much of the threat occurs in places where “laws are lax, and enforcement is more difficult.”
The theft or ransom of intellectual property and research data begins with unauthorized access to valuable information. Unauthorized access occurs through various pathways, intentional and unintentional. Hackers may gain access to our systems and your research by installing malware, capturing login credentials through a phishing attack, or stealing an unprotected device such as a laptop or cellphone. Unauthorized access and disclosure can also happen accidentally—a research assistant retains login credentials to a folder after they are no longer involved in the project, members of the team share passwords, research data are sent in an unencrypted email, or data are disposed of insecurely, for example.
Universities are especially prone to security breaches for several reasons—thousands of students, faculty, and staff have login credentials that hackers can use to access the system; users may not feel personally responsible for securing university resources; universities house and manage troves of precious and sensitive data; and universities often engage with third-party service providers (e.g., cloud storage providers). According to Katherine Mangan’s recent article in the Chronicle of Higher Education (April 2021), since 2005, school districts and colleges have experienced at least 1,300 reported data breaches affecting more than 24.5 million records. Three-quarters of these breaches happened at colleges and universities, with 43% attributed to hacking, 27% to unintentional leaks (e.g., personally identifiable information sent in an email), and 15% to lost and stolen laptops or portable devices.
Relationships with third-party service providers create another layer of vulnerability for your data and intellectual property. In January 2021, Accellion, Inc., a cloud provider, experienced a breach that exposed hundreds of thousands of documents from dozens of universities. One of the affected universities, the University of Colorado-Boulder, had more than 300,000 records exposed, including information protected by legislation such as HIPAA, FERPA, and GLBA. This information was held for a ransom of $17 million. Following the advice of the FBI, the university refused to pay the ransom, as paying the ransom is no guarantee that criminals will honor their promises. In the end, some of these data were posted on the dark web. On the bright side, the university had taken steps to use student and employee ID numbers instead of social security numbers on forms, so fewer than 20 social security numbers were included among those data, demonstrating that simple steps can help protect important data from attacks.
Simple Strategies for Better Security
You can help protect your research data, intellectual property, and university resources by using the following strategies:
Use WUSTL BOX
Avoid emailing sensitive information and protected data. Instead, use a secure file sharing service such as WUSTL Box to collaborate and share your research and data. WUSTL Box allows you to:
- Easily grant and revoke access to your files.
- Maintain a backup of your files, incorporating contributions and changes made by collaborators.
- Save versions of your files so you can easily restore them to an earlier state.
- Keep a record of access and activity for your files and folders.
Be Selective When You Share
Only grant permission to those who really need access. Remember to stop sharing your data if someone leaves your research team or no longer needs access.
Use Strong Passwords and 2FA
Always use strong, unique passwords for each account. Turn on 2FA wherever possible to add an extra layer of security.
Encrypt Your Devices
Use a passcode and use services such as BitLocker and FileVault to encrypt your device. If the device is lost or stolen, your data will not be vulnerable to unauthorized access and use.
Physically Secure Your Devices
Treat your devices as if they are valuable. Never leave them unattended in public locations. Find additional device security recommendations in our Securing Devices guidance.
Be on guard for phishing attacks trying to get at your login credentials. Don’t reply to urgent requests for your personal information or passwords.
Use a loaner laptop when you travel. These laptops are preconfigured to maximize security. If your device is lost or stolen while you’re traveling, your data will still be safe, and you won’t lose your familiar machine. Find additional travel guidance here on our Travel page.
Use Vetted Services
The Office of Information Security engages in security reviews of products and software. Use these approved products to ensure better security and support when you need it.
Reuse Media and Dispose of Data Securely
Before you dispose of a device or pass it along to a new user, make sure all protected and confidential data is rendered unrecoverable. Contact the Office of Information Security for assistance.
2FA—Control in the Palm of Your Hand
Better Protection with Encryption
Device Security for the Entire Family
Keeping Information Security Simple—Backup, Backup, Backup
Save, Secure, and Share with Box and OneDrive
Secure Storage and Communication Services