Data Security Best Practices

The most effective way to secure your research data is by implementing the following best practices.

Icons for Data Security Best Practices

Table of Contents

  1. Managed Device
  2. Device Updates
  3. Antivirus Protection
  4. Multi-Factor Authentication (MFA)
  5. Awareness & Training
  6. Device Encryption
  7. Password Hygiene
  8. Data Backup Plan
  9. Physically Secure Workspace
  10. Virtual Private Network (VPN)
  11. Avoid Public or Unknown Sources
  12. Travel Security

1. UMS:IT (University of Maine System Information Technology) Managed Device

Managed device icon

If you have a UMS:IT managed device and you are up to date on all software updates, then you already have a device that covers #2 Device Updates and #3 Antivirus Protection below (at minimum). A managed device has the benefit of managed security alerts and tested updates and hardware. For example, if malware is detected on a managed device, the review of the malware infection includes expert guidance and investigation from the Information Security Office (ISO) within UMS:IT. Within UMaine research environments, this investigation also involves Research Information Security (RIS). They work to identify the source (e.g., USB storage device, etc.), scope, and impact of the malware. Investigation into incidents helps protect against reinfection.

2. Device Updates

Device updates icon

Make sure to install the latest updates and patches to your operating system, applications, and security software to stay protected against known vulnerabilities. Updating is the single best thing you can do for your device. Whenever you see security patches, you should take them seriously. Malware needs a way in, and one guaranteed way to give them a path into your system is through an unpatched vulnerability.

3. Antivirus Protection

Antivirus protection icon

Antivirus software helps detect and remove malicious code that can compromise your data security. This protection is enabled through the detection of known malicious code, which are identified through databases of potentially harmful malware signatures. Regularly updating (or allowing automatic updates) of malware signatures is crucial for the successful identification of new and emerging malware.

4. Multi-Factor Authentication (MFA)

Multi-factor authentication icon

One of the best ways to ensure that the person accessing an account is who they say they are is by using an additional layer of identity verification called multi-factor authentication (MFA). MFA protects against unauthorized access to your accounts.

As of January 1, 2025, MFA is required on all UMaine faculty and staff maine.edu accounts. For more information and to enroll, see UMS:IT Multi-Factor Authentication.

5. Awareness & Training

Awareness and training icon

If you don’t know about security risks, how can you know to protect against them? Awareness provides an understanding of security risks, such as phishing scams. Awareness of phishing scams remind you to not click on links or download attachments from unknown sources and to be wary of suspicious emails, messages, and phone calls that ask for personal information.

A key part of data security is awareness and training because secure user practices are essential to a successful security program. Trainings on Information Security are available through UMS Academy. Trainings on Research Security are available through the Collaborative Institutional Training Initiative (CITI); more information can be found on the Research Security Training webpage.

6. Device Encryption

Device encryption icon

Device encryption is easy to access. For example, Windows comes with device encryption called BitLocker and Apple comes with FileVault 2. These both offer full-disk encryption for your device. Encryption mitigates the risk of data compromise in the event of a lost or stolen device. As an additional layer of security, you can encrypt individual files containing sensitive information to prevent unauthorized access, such as requiring a password to open a Microsoft Excel spreadsheet.

7. Password Hygiene

Password hygiene icon

Compromised accounts can be difficult to detect prior to obvious suspicious activity (e.g., unknown credit card purchases, changes to your direct deposit, etc.).

If a password can be easily guessed, it is not a strong password. According to Microsoft strong password recommendations (external link), a strong password typically:

  • Has at least 12 characters,
  • Combines upper- and lower-case letters, numbers, and symbols,
  • Is not an identifiable word,
  • Is significantly different from previous passwords, and
  • Is easy to remember.

Avoid reusing passwords because reused passwords increase the potential impact of stolen credentials. Stolen passwords persist in the dark web and are easy for criminals to acquire.

8. Data Backup Plan

Data backup plan icon

Use secure cloud storage and backup solutions by choosing reputable providers that offer end-to-end encryption and strong access controls to protect your data from unauthorized access. Backing up data in an additional location offers protection from a single point of failure that can result from events such as: “human error, hardware failure, virus attacks, power failure, and natural disasters,” (USGS [United States Geological Survey] on the Importance of Backups [external link]).

A significant amount of time, money, and effort goes into research, and that research is all supported, documented, and reproduced through data. You would not want to risk losing months or years of work. Incorporating a data backup plan into your routine is a simple tactic to mitigate the risk of losing data.

9. Physically Secure Workspace

Physically secure workspace icon

Awareness of your surroundings and your chosen workspace is very important for data security. The degree of privacy and security offered by your workspace should be equal to the sensitivity of the data you are working with. For example, if data should be private, then a coffee shop would not be the best location to work. Be wary of “shoulder-surfing” (i.e., someone observing your typed in password) when working in a public workspace.

10. Virtual Private Network (VPN)

Virtual Private Network icon

Using a Virtual Private Network (VPN) for online activity helps protect your privacy and security by creating a secure and encrypted connection between your device and the internet. Utilizing a “full-tunnel” VPN essentially means that your traffic over the VPN is travelling via an encrypted tunnel to its destination. However, if the VPN has “split-tunneling” enabled, some of your traffic may travel outside of the VPN tunnel. Encryption takes additional time, so split-tunneling has the advantage of increasing the transfer speed of non-specified traffic by allowing it to travel as if there is no VPN. Be mindful of what the VPN is capable of when considering the sensitivity of the data. Some cybersecurity standards do not allow for split-tunneling to be enabled.

11. Avoid Public or Unknown Sources

Avoid Public or Unknown Sources icon

Avoid Unknown Storage Devices

Malware can make its way onto your device via a storage device (e.g., USB flash drive, etc.). If an infected device is plugged into your computer, it can infect your system and proliferate. Antivirus software can hopefully detect and quarantine malware before it can do damage, but that is not a guarantee. The only guarantee is by avoiding unknown storage devices.

Avoid Public Wi-Fi, Computers, or Devices

Trusting and transmitting information over an unknown or public network could result in unintentionally sending unencrypted information to an unintended target. Avoid using public Wi-Fi for sensitive activities, such as online banking or shopping, as these networks are often unsecure and can be easily intercepted by hackers. If you must use an unknown or public network, be sure to:

  • Use a full-tunnel Virtual Private Network (VPN),
  • Enable Multi-Factor Authentication (MFA)
  • Only visit sites that have “HTTPS” in the URL (as “HTTP” traffic is unencrypted),
  • Ensure your firewall is enabled (a firewall should never be disabled),
  • Disable auto-connect,
  • Keep your device updated,
  • Turn off sharing features (e.g., file-sharing, printer sharing), and
  • Turn off Wi-Fi when you’re done.

When a browser warns you that a site is not secure, carefully consider whether this site needs to be accessed and be wary of any information submitted to it.

12. Travel Security

Travel Security Icon

Devices that travel with you are susceptible to compromise and theft. While traveling abroad, there are additional risks for seizure by foreign officials. While all the data security practices outlined thus far are applicable during travel, some additional steps can be taken to improve travel security.

Travel light! If you don’t need it, don’t take it with you. If it is necessary to travel with a portable device (such as a laptop), it is best to take a sanitized secondary or loaner device. Do not travel with confidential or restricted data and only travel with what has been approved by authorized parties.

Prior to your departure:

Contact

Please contact Research Information Security (RIS) at um.ressec@maine.edu with any inquiries on research data security.