Data Security Best Practices
If you are curious about the top actions that can be taken to secure your research data, then the following best practices guide is a good place to start. The most security bang for your buck can be achieved by implementing the following best practices:
- UMS:IT Managed Device
- Update or Isolate!
- Antivirus Protection
- Multi-Factor Authentication (MFA)
- Awareness & Training
- Device Encryption
- Password Hygiene
- Data Backup Plan
- Physically Secure Workspace
- Virtual Private Network (VPN)
- Avoid Public or Unknown Sources
- Travel Security
UMS:IT Managed Device
If you have a UMS:IT managed device and aren’t dismissing software update notifications, then you have a device that covers #2 Updates and #3 Antivirus Protection (at minimum). A managed device has the benefit of managed security alerts and tested updates and hardware. If, for example, malware is detected on a managed system, the triage of the infection includes expert guidance and investigation from the Information Security Office within the University of Maine System. They work to identify the source (e.g., USB storage device), scope, and impact of the malware. Investigation into incidents helps protect against reinfection.
Updates
Make sure to install the latest updates and patches to your operating system, applications, and security software to stay protected against known vulnerabilities. Updating is the single best thing you can do for your device. Whenever you see security patches, you should take them seriously. Malware needs a way in, and one surefire way to give them a path into your system is through an unpatched vulnerability.
Antivirus Protection
Antivirus software help detect and remove malicious code that can compromise your data security. This protection is enabled through the detection of known malicious code, which are identified through databases of potentially harmful signatures. Regularly updating (or allowing automatic updates) of malware signatures is crucial for the successful identification of new and emerging malware.
Multi-Factor Authentication
As inconvenient as MFA may seem, it is one of the best ways to ensure that the person accessing an account is who they say they are through an additional layer of identity verification. MFA protects against unauthorized access to your accounts. Increase the security of your maine.edu account by enrolling in MFA with UMS:IT.
Awareness & Training
If you don’t know about it, how can you know to protect against it? Awareness provides an understanding of the anatomy of such things as a phishing scam. Awareness of a phishing scam helps remind you not to click on links or download attachments from unknown sources and be wary of suspicious emails, messages, and phone calls that ask for personal information. A key part of security is awareness and training, because secure user practices are the fulcrum of a successful security program. Trainings on Information Security are available through UMS Academy. The National Security Presidential Memorandum 33 (NSPM-33) is an example of the increasing emphasis (and upcoming requirement) of cybersecurity awareness and training.
Device Encryption
Device encryption is relatively accessible these days. For example, Windows natively comes with BitLocker and Apple comes with FileVault 2. These both offer full-disk encryption for your device. Encryption mitigates data compromise in the event of a lost or stolen device. As an additional layer of security, encrypt files with sensitive information in them to prevent unauthorized access, such as requiring a password to open a Microsoft Excel spreadsheet.
Password Hygiene
Compromised accounts can be difficult to detect prior to obvious suspicious activity (e.g., unknown credit card purchases, changes to your direct deposit). If a password can be easily guessed, then it is not a strong password. A strong password typically has at least 12 characters, combines upper- and lower-case letters, numbers, and symbols, is not an identifiable word, is significantly different from previous passwords, and is easy to remember (Microsoft strong password recommendations). Avoid reusing passwords, because reused passwords increase the potential impact of stolen credentials. Stolen passwords persist in the dark web and are easy for criminals to acquire.
Data Backup Plan
Use secure cloud storage and backup solutions by choosing reputable providers that offer end-to-end encryption and strong access controls to protect your data from unauthorized access. A significant amount of time, money, and effort goes into research, and that research is supported, documented, and reproduced through data. Backing up data in an additional location offers protection from a single point of failure that can result from events such as: “human error, hardware failure, virus attacks, power failure, and natural disasters” (USGS on the Importance of Backups). There are few things that are quite as awful as the feeling of losing months (or even years) worth of work. Incorporating a Data Backup Plan into your routine is a simple tactic to mitigate the risk of losing data.
Physically Secure Workspace
Awareness of your surroundings and your chosen workspace is very important for security. The degree of privacy and security offered by your workspace should be commensurate to the sensitivity of the data you are working with. If data should be private, then a coffee shop is probably not the best location to work. Be wary of shoulder-surfing (e.g., someone observing your typed in password) when working in a public workspace.
Virtual Private Network (VPN)
Using a Virtual Private Network (VPN) for online activity helps protect your privacy and security by creating a secure and encrypted connection between your device and the internet. Utilizing a full-tunnel VPN essentially means that your traffic over the VPN is travelling via an encrypted tunnel to its destination. A caveat to this is if the VPN has split-tunneling enabled, where some of your traffic may travel outside of the VPN tunnel. Encryption takes additional time, so split-tunneling has the advantage of increasing the transfer speed of non-specified traffic by allowing it to travel as if there is no VPN. Being mindful of what the VPN is capable of is important when considering the sensitivity of the data. Some cybersecurity standards do not allow for split-tunneling to be enabled.
Avoid Public or Unknown Sources
Avoid Unknown Storage Devices. Malware can make its way onto your device through the use of a storage device (e.g., USB flash drive). If an infected device is plugged into your computer, it can infect your system and proliferate. Antivirus software can hopefully detect and quarantine malware before it can do damage, but that is not a guarantee. The only guarantee is by avoiding unknown storage devices.
Avoid Public Wi-Fi, Computers, or Devices. Trusting and transmitting information over an unknown or public network could result in unintentionally sending unencrypted information to an unintended target. Avoid using public Wi-Fi for sensitive activities, such as online banking or shopping, as these networks are often unsecure and can be easily intercepted by hackers. If you must use an unknown or public network, be sure to use a VPN, only visit sites that have HTTPS (HTTP traffic is unencrypted), turn off sharing, and turn off Wi-Fi when you’re done (Kaspersky public Wi-Fi risks). When a browser warns you that a site is not secure, carefully consider whether this site needs to be accessed and be wary of any information submitted to it as it is not secure.
Travel Security
Devices that travel abroad are susceptible to compromise, theft, or seizure by foreign officials. While the majority of the data security practices outlined thus far are still applicable during travel, some additional steps can be taken to improve travel security. Prior to departure, contact the Office of Research Compliance (ORC) regarding your travel to verify if any additional steps need to be taken. Travel light! If you don’t need it, then don’t take it with you. If it is necessary to travel with a laptop, take a sanitized secondary or loaner device. Do not travel with confidential or restricted data and only travel with what has been approved by authorized parties. A detailed guide on travel has been created that provides steps that should be taken before you leave, while traveling, and upon returning. Please review it as it contains additional information not provided in this article.
ARCSIM security encourages inquiring minds to attend ARCSIM seminars for general information, or contact ARCSIM at um.arcsim.sec@maine.edu for inquiries on research data security.