Guidance Document - Cybersecurity Tips and Resources for Academic Researchers

In addition to protecting their personal data, researchers are also responsible for securely storing and transmitting research data. Here are some tips.

From researchers working with the Department of Defense to those working with publicly available data, faculty, staff and students at Purdue have resources to keep their research, personal data and University systems safe.

First, researchers should review the three categories into which the University classifies all data:

• Restricted, which means information protected by policies or regulations, such as health information covered by HIPAA or research data covered by ITAR,
• Sensitive, which is not regulated but still must be guarded due to proprietary, ethical or privacy concerns and
• Public, which is information with no existing restrictions on access.

Researchers are encouraged to use secure resources, such as the University's FileLocker service, REED folders and, for data not subject to Export Control regulations (EAR and ITAR), instance of Box.com, for managing their data. More guidance about storage and transmission of data can be found on the Secure Purdue website.

While you may not handle restricted, or even sensitive, data, your role as a researcher at Purdue makes you a target for bad actors looking to enter the Purdue network. Rather than targeting people with high-level access to sensitive data, it is common for cybercriminals to target “low-level” users. Once they gain access to the network, they have the ability to maneuver to higher levels by using the compromised account to trick others or pry into other systems.

There are simple, preventative steps to take to mitigate the risk of being scammed or hacked.

If you aren't already following these suggestions, try incorporating one or two into your daily routine until they become habits. Then try one or two more.

1. Use two-factor authentication on important accounts, such as social media, online banking apps and email.
   If you have a smartphone, you likely already have the Duo Mobile app for BoilerKey, which protects University systems. You can use Duo for a variety of other sites who support two-factor authentication, such as Google, Facebook, Twitter, Amazon, GitHub and Dropbox.
2. Use a virtual private network (VPN).
   If you travel frequently, or even if you work from places on campus that aren't your office, using a virtual private network or VPN tool will help to protect you while connected to public or unprotected Wi-Fi access points.
3. Be careful when traveling, especially abroad.
   It is recommended that researchers who travel internationally take special precautions, particularly with respect to unpublished research. She suggests not carrying unpublished research on portable devices and using services such as FileLocker that encrypt data if you must access unpublished work from abroad. The Office of Export Controls provides additional guidance about security best practice for international travel.
4. Protect your intellectual property.
   It is recommended that researchers who may be generating any patentable intellectual property consult with Purdue's Office of Technology Commercialization to make sure they're taking the necessary steps to protect it.
5. Limit what information you share on social media.
   Bad actors collect a lot of personal information by combing social media sites. They can ascertain answers to security questions, formulate convincing phishing emails, or extort people by using information gathered from social media. Review your privacy settings and think twice before posting updates about upcoming vacations and other whereabouts.
6. Put passwords on your devices.
   The easiest way to protect your devices, like a laptop or smartphone, is to lock them with a hard-to-guess password. Don't use birthdays, names, locations or other personal information to make passwords. These are too easy to crack.
7. Use a password manager.
   A password manager is used to store long, complex passwords that are difficult to remember. Usually, you only need to remember one unique, complex password to open the password manager. This takes the pressure off the user to remember a long, complicated password for each account. Password managers also mitigate the risk of a data dump wherein a hacker can obtain an email and password combo and try it across commonly used accounts, such as Uber or Spotify, because of password reuse.
8. Check your info on HaveIBeenPwned.com.
   This free database allows users to search emails that are associated with data breaches. If your email and associated account has been compromised by a data breach, it is important to change the password at minimum, up to closing the account.
9. Be skeptical.
   If an email or direct message seems off, it probably is. If someone is asking you to spend money via an electronic message, the best thing to do is call or get face-to-face with that person to confirm the request. If someone is asking you to click on a link, which then requires credentials, you should think twice.
10. Forward spam or phishing messages to abuse@purdue.edu.
    If you receive a spam or phishing message, even if you're not sure the email in question falls into that category, you can forward the message to abuse@purdue.edu. Ideally, you would forward the message as an attachment to preserve header information. Once the security team is notified of suspected spam, they can suspend the sender's account if they are using a Purdue email address and block further emails from being sent. They can also identify malicious websites to block.

Putting one or two of these pieces of advice to work right away will drastically cut down your risk of being scammed or having your credentials stolen. These steps can protect your data, your research data and the rest of the University's data from bad actors.

Check out the Secure Purdue website for more information on cybersecurity and free anti-virus software.