Guidance Document - Cybersecurity Tips and Resources During the COVID-19 Response
Updated: May 9, 2023
Even more true during remote work, researchers are responsible for securely storing research data, transmitting research data and maintaining heightened situational awareness.
From researchers working with the Department of Defense to those working with publicly available data, faculty, staff, and students at Purdue have resources to keep their research, personal data and University systems safe.
First, researchers should review the three categories into which the University classifies all data:
- Restricted, which means information protected by policies or regulations, such as health information covered by HIPAA or research data covered by ITAR,
- Sensitive, which is not regulated but still must be guarded due to proprietary, ethical or privacy concerns and
- Public, which is information with no existing restrictions on access.
Commercial cloud storage like Dropbox and Google Drive are not approved for storing sensitive or restricted data. Researchers using cloud storage are encouraged to use secure Purdue-supported resources, such as the University's FileLocker service, REED folders and, for data not subject to Export Control regulations (EAR and ITAR), Purdue's instance of Box.com, for managing their data. More guidance about storage and transmission of data can be found on the Secure Purdue website.
For researchers working under a technology control plan in place with the Export Controls office, continue to follow the controls outlined in the TCP. If this current situation makes that difficult and some controls need to be revisited, contact the export control office at exportcontrols@purdue.edu. The ECO has already posted guidance is Personally Owned devices will need to be used. You can reach that posted guidance from the Export Controls Website.
For others, while you may not handle restricted, or even sensitive, data, your role as a researcher at Purdue makes you a target for bad actors looking to enter the Purdue network. Rather than targeting people with high-level access to sensitive data, it is common for cybercriminals to target “low-level” users. Once they gain access to the network, they have the ability to maneuver to higher levels by using the compromised account to trick others or pry into other systems.
Follow these simple, recommended controls to mitigate data risk while working remotely.
- Use a virtual private network (VPN).
When accessing Purdue University resources, use the Purdue University VPN to help to protect you while working remote. When accessing resources external to Purdue while working remote, strongly consider implementing a personal VPN to protect your research browsing and communications. - Be careful when working remote.
It is recommended that researchers who work remotely practice increased precautions, particularly with respect to research. Do not carry research on portable devices and use services such as FileLocker that encrypt data if you must access research data at a remote location. When performing research remotely, it is stressed that you pay greater attention to your surroundings, guard against shoulder surfing, and be aware of your screen orientation. It's important to consider the potential for meetings to be overheard. Find or setup an isolated space in your home for holding such meetings. The Office of Export Controls provides additional guidance about security best practice for international travel. - Put passwords on your devices.
The easiest way to protect your devices, like a laptop or smartphone, is to lock them with a hard-to-guess password. If you are using your personally owned WIFI for research during the implemented social distancing, secure your wireless access point by:- Password protect your WIFI.
- If possible, turn off your SSID broadcast.
- If possible, implement WPA or WPA2 authentication.
- Ensure your device is patched and updated.
If you have been approved by waiver to use a Personally Owned Device during social distancing, ensure that your device is fully patched and updated (OS and antivirus/antimalware) automatically to maintain current recommended levels. For Purdue owned and managed devices, follow your specific IT support department guidance for updating and patching. If you are self-supported, ensure that updates are checked for and installed automatically to maintain the system at current levels. - Store and work with your research data on central computing resources.
Rather than downloading or making copies of your research data to work on personally owned equipment, consider utilizing Purdue's central facilities for research computing or data storage. The Research Data Depot, Community Clusters, or Data Workbench allow you to reliably and securely store and work with your fundamental research data from wherever you physically are located. - Lock your devices and close remote connections.
- Your laptops or desktop should have a 15 minute screen lock and be manually locked when you walk away. Your local IT department can help you with this task.
- When you're done for the day or stepping away from the device for an extended period of time, logoff of your remote connection.
- In addition to good personal hygiene, Purdue faculty, students and staff should also keep up their digital hygiene to avoid falling for malicious emails about COVID-19, also known as Coronavirus.
- Avoid clicking on links in unsolicited emails and be wary of email attachments.
- Use trusted sources — such as legitimate, government websites — for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
Consider these tips on how to spot a phishing email:
- Provokes fear or urgency. If the email asks that you act fast to avoid a serious consequence, be suspicious.
- Asks you to click. If an email says to click on a link, move your mouse to hover over it to see where it actually leads. If you even think there's a problem, don't click.
- Uses vague language. If the email is addressed to no one or a generic greeting such as “colleagues” and contains few details, it's likely a scam. Look for spelling and grammatical errors as well.
If you spot a COVID-19 phishing email, or any phishing email, forward it as an attachment to abuse@purdue.edu.
- Tips for protecting research data during Webex meetings can be found at: https://www.itap.purdue.edu/newsroom/200402-WebEx-Tips-For-Security.html
Note: Do not display controlled information via the normal instance of Webex. If you need to use Webex for a controlled project, please visit the Guidance Document – Teleconferencing Guidance for Controlled Projects (login required).
Please remember that Purdue established guidance, security requirements, and Export Control requirements are still in effect and must be followed. If you have any questions regarding research security during implemented social distancing, please contact the Export Controls team by email at exportcontrols@purdue.edu, by phone at (765) 494-6840, or in person on the 3rd floor of Hovde Hall.
Working on research remotely, away from the security of Purdue University networks increases risk to research data and adds vulnerabilities. These steps can protect your research data and the rest of the University's data from bad actors.
Check out the Secure Purdue website for more information on cybersecurity and free anti-virus software.
Contact Information
Address:
Young Hall, 5th floor
Room 548
155 South Grant Street
West Lafayette, IN 47907
Email: rsec@purdue.edu
Phone: (765) 494-1642
- Guidance Documents
- Foreign National Process for DOE
- Cybersecurity Tips and Resources During the COVID-19 Response
- SPS and OTC NDA Process with Export Controls (login required)
- Connecting to Weber (login required)
- Weber Endpoint Informational (login required)
- Social Distancing Guidance for Controlled Projects (login required)
- Teleconferencing Guidance for Controlled Projects (login required)
- Prior Approvals for Routine International Shipments (login required)
- Managing Export Control Risks in Contract Negotiations (login required)
- Non-Disclosure Agreement Process for Strategic Partners with Master NDAs (login required)
- Covered Information System Baseline Standard (login required)
- Marking Research Documents/Presentations and Ensuring Appropriate Access
- VeraCrypt Installation and Use
- Cybersecurity Tips and Resources for Academic Researchers
- Controlled Thesis Submission Process
- EAR Temporary License Exceptions
- Export Classification
- Engineering Example List
- Restricted Biological Agents
- International Shipping Documentation
- DoD SAFE Outage Guidance
- Fundamental Research and Government Contracts: Implications for Export Controls
- Cuban Travel