May 10 2023

The Importance of Cybersecurity in University Research Projects

Universities are taking steps to integrate cybersecurity into research projects at their earliest stages.

Matthew Williams, executive director of information security for the University of Cincinnati, says it’s impossible to provide the same protection for users and systems across a large university.

“If we tried to deploy all the same controls across everything, it would slow the university down to a screeching halt,” he says. “We would stop functioning. It’s a delicate balance of trying to be as secure as possible but also being able to function in an agile and efficient manner.”

To help strike that balance, UC has created a liaison between the school’s information security and research leaders, making the school one of several that are creating new systems to shore up cybersecurity for research projects.

Joseph Potchanant, director of cybersecurity and privacy at EDUCAUSE, says that researchers have historically looked at information security offices as the “department of no,” fearing that cybersecurity professionals would hamstring their work. Universities must flip this script, he says, so that information security is seen as a “department of know.”

“Data is the crown jewel in research,” Potchanant says. “We’ve seen higher education institutions targeted by hackers who want to steal their research or maybe even sabotage it. And then, ransomware attackers have a financial incentive to just keep people from their research.”

 “We need to do a better job of letting researchers know that there are resources out there, and that those of us in cybersecurity and privacy are not here to prevent them from doing their work,” he says. “We want to help them do their work safely.”

Click the banner below to receive exclusive content about cybersecurity in higher ed.

University of Cincinnati Links Research and Security Teams

Williams notes that UC uses several enterprise security solutions, such as anti-virus software, encryption and multifactor authentication. Research projects may require additional tools, he says, such as cloud storage that is certified to comply with certain regulations. The university also makes endpoint detection and response from CrowdStrike available to researchers working with sensitive data, uses Splunk to monitor systems involved in research projects and identifies vulnerabilities through Qualys.

Perhaps just as important as the specific cybersecurity tools are the processes that UC has put in place to connect research teams with information security professionals. The school has a committee, staffed mostly by researchers, charged with making sure that UC’s research projects comply with National Institute of Standards and Technology security standards and guidelines. By appointing a liaison between the research and cybersecurity teams, Williams says, the school has ensured that researchers are implementing additional controls when needed.

“It’s been tremendously helpful,” Williams says.

WATCH: How this SOC at the University of Cincinnati helps protect university assets.



Indiana University Cybersecurity Services Empower Professors

In 2020, Indiana University piloted a project called SecureMyResearch, aimed at offering opt-in cybersecurity services to researchers. Anurag Shankar, a senior security analyst at the university’s Center for Applied Cybersecurity Research who conceived of the idea, initially expected to see little interest, given the resistance he’d faced from professors throughout his career — but to his surprise, the program has “exploded,” with researchers joining voluntarily.

“We’ve reached maybe 50 percent of all faculty members,” Shankar says. “I think it’s because we’ve concentrated on positive messaging. We’re focused on getting work done more quickly and making sure the research is trustworthy. We stress how faculty will have more time to write grants.”

“If you ask researchers to do cybersecurity, that’s basically dead on arrival,” he adds. “And if you want to teach them cybersecurity, it’s the same deal. So, the only way we can actually secure research is by the institution injecting cybersecurity into it.”

Through SecureMyResearch, cybersecurity experts will look at researchers’ existing workflows and provide step-by-step directions to better protect data. Sometimes, they simply connect researchers with existing university resources or help them obtain a specialized tool, such as a specific file encryption software program that would better meet their needs. In other instances, they will help research teams develop privacy practices, such as ensuring that no one is able to overhear remote interviews being conducted for a research project.

“We’ve learned that 80 percent of problems are resolvable within five minutes,” Shankar says. “Some of these are issues that people have been stuck on for six months. Now, they don’t have to figure things out on their own. We give them whatever they need to do their work.”

Joseph Potchanant
We need to do a better job of letting researchers know that there are resources out there, and that those of us in cybersecurity and privacy are not here to prevent them from doing their work.”

Joseph Potchanant Director of Cybersecurity and Privacy, EDUCAUSE

UC Berkeley Cybersecurity Experts Engage Researchers Early

When cybersecurity teams put up obstacles, researchers will often go around them, says Chris Hoffman, IT and operational director for the Forum for Collaborative Research at the University of California, Berkeley School of Public Health. “They’ll set up their own server and put it under their desk, and they’ll have a graduate student be their system administrator,” he says. “Or they’ll rely on services from other universities.”

To avoid these workarounds and keep research safe, Hoffman tries to work with professors in the early stages of their research. “We don’t want to be playing catch-up,” he says.

Part of this work means simply ensuring that researchers are using the university’s cybersecurity resources, such as firewalls and intrusion detection systems. To ensure that all aspects of data privacy are being considered, Hoffman also makes efforts to connect researchers with other groups on campus, such as the research office that handles compliance for studies involving human subjects.

MORE ON EDTECH: How network upgrades enable universities to accelerate research.

Hoffman’s group has set up specific services for researchers. One of these, the Secure Research Data and Compute platform, offers high performance computing, computing on virtual machines with desktop environments and protected storage for both. Also, the university has rolled out REDCap, a secure web application for building and managing online surveys and databases that was originally created at Vanderbilt University to support HIPAA compliance in research.

In addition to boosting security, Hoffman says, these efforts are enabling new research. “There is research that professors have wanted to do, but previously they couldn’t do it at Berkeley,” he says. “So, part of this is about faculty recruitment and retention.”

“This also gives confidence to our partners that we’re doing the right things with their information,” Hoffman adds. “We’re able to be a responsible partner while also supporting the kind of creative, next-generation research that our campus is known for.”

Illustration by Ben KonKol

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.