University of Cincinnati Links Research and Security Teams
Williams notes that UC uses several enterprise security solutions, such as anti-virus software, encryption and multifactor authentication. Research projects may require additional tools, he says, such as cloud storage that is certified to comply with certain regulations. The university also makes endpoint detection and response from CrowdStrike available to researchers working with sensitive data, uses Splunk to monitor systems involved in research projects and identifies vulnerabilities through Qualys.
Perhaps just as important as the specific cybersecurity tools are the processes that UC has put in place to connect research teams with information security professionals. The school has a committee, staffed mostly by researchers, charged with making sure that UC’s research projects comply with National Institute of Standards and Technology security standards and guidelines. By appointing a liaison between the research and cybersecurity teams, Williams says, the school has ensured that researchers are implementing additional controls when needed.
“It’s been tremendously helpful,” Williams says.
WATCH: How this SOC at the University of Cincinnati helps protect university assets.
Indiana University Cybersecurity Services Empower Professors
In 2020, Indiana University piloted a project called SecureMyResearch, aimed at offering opt-in cybersecurity services to researchers. Anurag Shankar, a senior security analyst at the university’s Center for Applied Cybersecurity Research who conceived of the idea, initially expected to see little interest, given the resistance he’d faced from professors throughout his career — but to his surprise, the program has “exploded,” with researchers joining voluntarily.
“We’ve reached maybe 50 percent of all faculty members,” Shankar says. “I think it’s because we’ve concentrated on positive messaging. We’re focused on getting work done more quickly and making sure the research is trustworthy. We stress how faculty will have more time to write grants.”
“If you ask researchers to do cybersecurity, that’s basically dead on arrival,” he adds. “And if you want to teach them cybersecurity, it’s the same deal. So, the only way we can actually secure research is by the institution injecting cybersecurity into it.”
Through SecureMyResearch, cybersecurity experts will look at researchers’ existing workflows and provide step-by-step directions to better protect data. Sometimes, they simply connect researchers with existing university resources or help them obtain a specialized tool, such as a specific file encryption software program that would better meet their needs. In other instances, they will help research teams develop privacy practices, such as ensuring that no one is able to overhear remote interviews being conducted for a research project.
“We’ve learned that 80 percent of problems are resolvable within five minutes,” Shankar says. “Some of these are issues that people have been stuck on for six months. Now, they don’t have to figure things out on their own. We give them whatever they need to do their work.”