Research Raiders: How to Protect Collaborative Data

Colleges and universities of all sizes conduct research across a number of fields and disciplines. Whether it's biological research on the role that imprinting plays in creating new species of poison dart frogs in Panama or economic research into the distribution shortfalls experienced by independent produce sellers in Michigan, for centuries higher education has been shaping the way we look at the world. But while many institutions may hold rivalries on the football field, when it comes to collaborating on and sharing research, they have many reasons to put aside the big foam fingers and work together. This collegiate spirit of reciprocity regarding data collection and analysis not only produces more balanced and meaningful knowledge but also cuts down on duplication of efforts, establishes accountability and transparency, and enables more rapid validation of findings.^Footnote1 Yet this interinstitutional cooperation also introduces a challenge: how to protect the digital transfer of valuable (and possibly classified) material from cyberattacks.

As digital threats grow in sophistication, many higher education institutions are struggling to keep step with their security measures. This can be especially problematic for any federally funded research that handles controlled unclassified information (CUI)—for example, schematics for a new missile guidance system—or for medical schools abiding by HIPAA privacy regulations. But research of all types is of value to the colleges and universities conducting it, and having it stolen can mean a loss of revenue and the exploitation of private data. To solve the problem, higher education institutions must strike the correct balance between collaboration and protection. Fortunately, security protocols and software are keeping pace with the escalating attacks, and institutions do not have to work alone in facing the task of safeguarding their cooperative research.

The Risks of Sharing

As noted, there are many benefits for colleges and universities that join forces to conduct research, but this collaboration requires substantial planning and forethought. As in any other agreement, a formal contract should lay out all rules and stipulations. This contract should cover not only how the resulting research data will be used and how costs will be split but also the methods for distributing the data, the constraints on its use, and the information that must remain confidential. Encompassing all these concerns is the question of security. If data is distributed strictly online, how will the transfer be kept safe from hacking? (Are there passwords? Is access limited to a select few? What happens to the data beyond the agreed-upon sharing term?) If hard copies are preferred, where are they being physically stored, and who is allowed access?

Not addressing such matters at the start of any collaborative research endeavor can result in tiny leaks in an institution's security dam, possibly resulting in an overwhelming flood. If research data is a house that can be locked or not, many other factors make up the foundation and frame. A data security plan is only as good as who is implementing it, and many campus IT departments already struggling with the transitions sparked by the COVID-19 pandemic may not have enough bandwidth (in terms of either digital or time) to tackle yet one more major project. They also have several practical considerations to address, such as finding a way to prevent oversharing (e.g., via social media or email) by participants, stopping any accidental leaks, and making sure they're complying with all federal regulations related to data privacy.

Blind Spots and Security Risks

Quick question: How much data do you have stored on the device you're using to read this article? You can probably come up with several documents, emails, music, and photos, but composing a full inventory would require extensive digging. Now multiply that task by the many hundreds of students, faculty, and staff housing data on a campus computer system. Add in alumni information, admissions material, financial data, and yes, proprietary research. Is it any wonder that one of the major stumbling blocks institutions encounter in their efforts to protect their data is simply that they don't know what they have? Securing information that no one even knows about is a tall order indeed, meaning that a thorough, comprehensive audit is a requirement, however daunting.

And that's just for starters. Colleges and universities must also conduct an intensive examination of existing policies concerning data sharing and security to make sure there are no oversights and to implement new procedures where needed. Institutions with international reach have a heightened risk of intrusion from foreign bad actors and should seek assistance from federal agencies like the FBI or DHS. The same is true for any institutions doing government research, as the leaking of classified or otherwise controlled data can lead to millions of dollars in taxpayer money being lost and even to severe national security risks.^Footnote2

Proactive Safety Steps

Federally funded research may be a huge lure to hackers such as foreign governments or spy agencies, but it's not the only target. Privately funded exploration into scientific innovation can be just as tempting (and equally rewarding) to intruders, and higher education institutions conducting such research may also want to reach out to the federal government for help with protection.^Footnote3 This could entail assistance with computer systems or with producing cyberthreat training materials and briefings for faculty, staff, and administrators.

Aside from asking the federal government to lend a hand, institutions can take additional proactive steps to keep the transmission of researchers' data out of reach from the bad guys:

• Understand the complete range of risk types faced by research departments, including internal and external factors, then work to manage and minimize any intrusion.
• Develop a set of risk criteria and processes to review incoming grants, contracts, or requests for information.
• Strengthen any institutional policies related to federal and international regulation compliance.
• Update existing security systems and services to align with Zero Trust strategy, meaning all data is treated as a threat until it can be verified.^Footnote4
• Strengthen any school policies related to federal and international regulation compliance.
• Choose a common workflow platform for both research teams to use.
• Empower members of the campus community to identify security concerns or potential threats.
• Enable discovery and collection of data across both institutions and have dedicated storage locations.
• Secure research information when it is transferred digitally, including making sure the right users can still access it and collaborate.
• Automatically encrypt data when uploading to a cloud storage service.

An Example of Security

While methods involved in research differ from the typical teacher-student learning model, other aspects of academia can impart useful lessons in successfully handling data security. For example, at Ithaca College, a prominent liberal arts college based in New York, the challenge of realizing full data security was compounded by its satellite branch in London.^Footnote5 To protect the identities of an international and diverse roster of students and faculty, the college had to shield its digital environment from malicious intrusions while also strictly complying with privacy regulations. In charting its course, the IT team implemented multi-factor authentication for user devices, threat protection software to detect and resolve intrusions, and proactive software to isolate potentially infected computers or devices. The team also centralized the IT department with a cloud-based solution that reduced risk of attack while saving money on hardware upkeep. As a result of taking these steps, leaders at Ithaca College feel more confidence in their digital security.

Conclusion

The tradition of sharing research and information for the betterment of all parties and for humanity at large is deeply embedded in the academic world. The many benefits include higher rates of publication for research papers and the development of new courses, not to mention the goodwill built between what would otherwise be teams of competitors.^Footnote6 With an unceasing deluge of cyberthreats from home and abroad, however, colleges and universities need to strike a working balance between what and how much they share and what and how much they restrict. Rules must be set and enforced, new policies must be made widely known, and a thorough examination of the data infrastructure of each institution must be conducted. With enough forethought, communication, and help from third parties, higher education institutions can implement a raft of best practices to keep their collaboration private and secure.

Notes

1. University Research Administration, University of Chicago, "Data-Sharing Agreements," April 1, 2011. Jump back to footnote 1 in the text.↩
2. Association of American Universities (AAU) and Association of Public and Land Grant Universities (APLU), "University Actions to Address Concerns about Security Threats and Undue Foreign Government Influence on Campus," May 2020. Jump back to footnote 2 in the text.↩
3. Peter McPherson and Mary Sue Coleman, "We Must Have Both," Inside Higher Ed, August 5, 2019. Jump back to footnote 3 in the text.↩
4. Corey Lee, "Adopting a Zero Trust Approach in Higher Education," EDUCAUSE Review, March 31, 2021. Jump back to footnote 4 in the text.↩
5. "Ithaca College Foils Cyberattacks with the Comprehensive Threat Protection Built into Microsoft 365," Microsoft (website), April 18, 2019. Jump back to footnote 5 in the text.↩
6. "The Importance of Collaborative Research and How Universities Can Facilitate Seamless Data-Sharing," Netrality Data Centers (website), accessed June 1, 2020. Jump back to footnote 6 in the text.↩

---

Steve Scholz is Principal Technical Specialist for Security, Compliance, and Identity, US Education, at Microsoft.