Kate is a professor and researcher who is preparing to take a three-week vacation to visit her family in another country. A long-time university colleague, who is now the vice-dean of a university in that country, has invited Kate to give a lecture on her work to a group of postgraduates at the university during her visit. Prior to departure, Kate downloaded remote access software onto her computer to access files stored on her home university's network while abroad, including a research project that has not yet been published. Once on site, she remotely accessed her account from a state-sponsored university computer, where she downloaded information to prepare for her speaking engagement, and then delivered the lecture.
Risks and Consequences for Kate and her Institution
Depending on the nature of the content of her lecture or the subsequent question-and-answer session, Kate may have inadvertently disclosed potentially confidential information on the research project. This disclosure could result in misappropriation or duplication of research projects or results, which could lead to a negative impact for Kate and her institution.
If Kate's data or findings were misappropriated, recognition for the research work could be given to those outside her research team or institution. The ability for her to publish and the potential for commercialization may also be negatively affected. This situation could lead to tarnished reputations and negative impacts on the careers for all who are involved in the project.
Moreover, the incident may also contravene intellectual property or confidentiality clauses that are part of Kate's project and funding, which could result in disciplinary measures. There may also be a loss of value to Canada, if the research was funded by public funds (i.e. through a government funding agency).
Remote access from a potentially non-secure computer could also create a vulnerability in Kate's university's cyber defenses, which could be exploited and extended to her university network. This could include potential monitoring of traffic between the computer used by Kate at work and her home computer to obtain sufficient information to log into both her home computer and the institution's network. At that point, information could be downloaded from either computer at will, or from any shared drives and servers at home and at work. Malware payloads could be installed onto Kate's home computer, and to any devices or networks connected to it, to collect information or disrupt network operations.
Possible Impacts for the Institution
Kate's home university could be unknowingly compromised and may remain unaware of this breach for a lengthy duration. During this period, any number of confidential, proprietary, and economically sensitive data could be misappropriated from the institution. This is in addition to any potential disclosures that Kate may have inadvertently made during her presentation. This could result in serious reputational damage to the institution and a significant financial loss or lost opportunities.
Best Practices
- Before leaving your home institution, you should only carry, access, transmit, and disseminate publicly available, non-sensitive and non-confidential information, and any questions and answers or discussion should be limited to these areas.
- You should only connect back to your university's network using a personal device or secure computer, via approved travel software and remote access capabilities that were installed and verified by the researcher's institution. Public Wi-Fi is often untrusted and unsecure; sensitive files should not be transferred over public networks.