Cybersecurity and your research data

In the digital age, information is a commodity that criminals will go to great lengths to get their hands on. Research data is no different. Roshan Harneker, Senior Manager for Information and Cybersecurity Services at Information, Communication and Technology Services (ICTS) offers a few key points to bear in mind to maintain the integrity of your research data.

Classify your data

The first step is to know what data needs to be protected and to what extent. Currently there are no institutional data classification guidelines so Harneker suggests research groups develop their own data classification systems in order to easily define public, sensitive, confidential and restricted data.

Who has access to your data?

When using a cloud-based storage service, like MSTeams or Google Drive, be sure to set permissions carefully according to your data classification system. Once you have classified and set your permissions, be sure to clearly spell out terms and conditions associated with that data access.

Where is your data?

Consider every device your data may be housed on, says Harneker. While the intention may be to keep the data securely on password-protected hard-drives, you may find yourself working on a subset of that data downloaded onto a laptop that is not password secured. Harneker advises ensuring all devices that may contain sensitive data be protected or even encrypted in the same way.

Are you complying with all relevant legal frameworks?

Familiarise yourself with the legislative requirements around data collection, use and storage, not only our own Protection of Personal Information Act (POPIA), but that of your collaborators too. The General Data Protection Regulations (GDPR) adopted by the European Union in May 2018 are applied widely in contractual agreements between collaborative partners to ensure that adequate security measures are in place to protect the management and transfer of personal information.

Is your hardware secure?

A number of researchers buy and manage their own hardware without thinking about important cybersecurity details like encryption and access control. In these cases, Harneker suggests at least consulting with ICTS over security measures in both the short and the long term.

Image by Pete Linforth from Pixabay