Scenario 1 – Cyber security practices

Disclaimer: This scenario is not comprehensive of all risks and best practices. This case study represents a certain scenario for general application of research security principles and can be used as a resource for training, exercises and presentation, etc. The names, events and other details of this scenario are created for educational purposes and do not represent any particular event.

Scenario 1

Fictional scenario

  • Kate is a professor and researcher at a Canadian post-secondary institution. She accepts an invitation from a former colleague at a foreign university to give a guest lecture on her research work while she is travelling abroad on vacation.
  • Prior to her departure, Kate downloaded third-party remote access software, which she did not know is unauthorized by her home institution, onto her work computer to access key work files so she can have continued access while abroad.
  • Kate remotely accessed her data repository from the foreign university’s Wi-Fi network. To prepare for her lecture, she consulted multiple files related to her research project, including files that contain confidential and unpublished data. When finished her review, Kate saved and uploaded the files over the foreign university’s network.

Risks in this scenario

Caption text
Risky practices Possible consequences
Use of unauthorized third-party remote access software
  • Breach of the Canadian institution’s IT security policies, which may include legal liability.
  • Theft of login credentials.
  • Installation of malware payloads onto the researcher's computer, and to any devices or networks connected to it, to collect information and disrupt network operations.
  • Unidentified system compromises that prevent timely response measures.
Uploading confidential information and unpublished data over an unsecure network
  • Misappropriation or duplication of research projects or results, which could negatively affect the researcher’s ability to publish or limit the potential for commercialization.
  • Contravention of intellectual property or confidentiality clauses that are part of the research project and funding agreement, which could result in reputational loss and legal consequences.

Risk mitigation

Best practices checklist – Researchers

Before installing remote access software:

  • DO proactively consult IT at your post-secondary institution on recommended practices and available options for secure remote access.
  • DO review the necessary information and procedures on how to report a breach to your post-secondary institution’s administration before travelling abroad. Many institutions provide guidance on travelling with electronic devices. Check with your institution’s IT website or contact the IT department.
  • DON’T use unauthorized access software.
  • DO create specialized data repositories for access abroad.
  • DO segregate data and only bring necessary data and information. For example, don’t store sensitive information, unpublished data or unrelated data from other projects in the same repository where it is easily accessible to unauthorized users. Where possible, download or print off necessary materials prior to travelling to limit the need to access your institution’s online repositories.

When accessing your post-secondary institution’s network:

  • DO ensure that the use of a virtual private network (VPN) or encrypted applications is legal in the country in which you are visiting or working.
  • DO use a VPN to establish a secure connection that uses authentication and protects data. Using a VPN ensures that your organization has a private communications network through an untrusted network.
  • DON’T connect to unauthorized and unverified foreign computers or networks.
  • DO use a secured network to access your work. Public networks, including public Wi-Fi, are often untrusted and unsecure; sensitive files should not be transferred over public networks.
  • DO use approved travel software and remote access capabilities that were installed and verified by your institution when connecting back to your institution’s network using a personal device or secure computer.
  • DON’T plug in or connect your devices to any non-issued devices (e.g., USB / USB-C sticks, memory cards, chargers, cameras, computers, photocopiers, fax machines, digital picture frames, etc.).

If you find yourself facing a potential breach:

  • DO immediately contact your post-secondary institution and report a potential breach.
  • DO take all potentially affected equipment offline immediately. Do not remove or destroy data as this may be needed to investigate the breach.
  • DO change the credentials and passwords of important accounts on an uncompromised device (do not use the device suspected of being problematic).
  • DO review access permissions and, using a secure method or with the assistance of your institution’s IT technical support, move the project information data required for the engagement to a secure offline storage medium.

Best practices checklist – Post-secondary institutions

  • DO have policies and procedures in place that outline, for example, the acceptable use of corporate devices and the management of corporate information.
  • DO consider developing a fleet of loaner devices for faculty or staff travelling to areas of high-digital risk.
  • DON’T leave security concerns to an individualized basis. Have plans and information available for researchers and staff.
  • DO let your employees know that they must use a VPN to connect to work servers and provide them with instructions on how to use it.
  • DO ensure your employees know who to contact if they have questions in regards to IT security, especially if they experience security issues or their devices are lost or stolen.
  • DO train your employees on cyber security issues and best practices, such as spotting phishing attempts, creating strong passwords, and using secure Wi-Fi networks.

Additional resources

Date modified: