Security

DataSecurity

To prevent unauthorised access and possible changes to your data, data security measures are in order. Such measures, on the one hand, serve to protect personal data and confidential information and on the other hand offer protection against unauthorised manipulation or erasure of files (intentional or unintentional).

Data security can be considerably increased with the help of technical measures. However, these must be accompanied by organisational measures in the form of policies and guidelines.

Measures

In the video below several measures that directly contribute to data security are detailed: limiting access with passwords, encrypting data and disposing of data that you no longer need securely. These measures are exemplified and supplemented by other measures in the tabs below the video (LSI Storage, 2009).

To protect your data files, you should use passwords to lock the computer systems used to access these data files. The University of Edinburgh (2017) has compiled some guidance on how to choose a strong password. In general, they should be long (15 characters or more). A very useful way to choose strong passwords is to make them up of four randomly chosen and altered words, e.g. C.rr3ctHorseBatteryStaple.

Edward Snowden (LastWeekTonight, 2015) advises us to shift our attention away from passwords to pass phrases which are unlikely to be in a dictionary, e.g. MyMotherM$kesTheB*stCakes. This way of thinking does not only make passwords stronger, but also a lot easier to remember.

The video (Alexanderlehmann, 2015) below explains why pass phrases are hard to crack. It is in German, but you can put on the English subtitles.

Password security

Besides choosing strong passwords, make sure to store and transmit them securely so they cannot be stolen:

  • Do: store passwords in a sealed envelope in a secure place (e.g. a safe);
  • Do: use secure password management tools. Remembering all of your passwords can be a challenge. Password management tools are one possibility of dealing with this problem. Examples are KeePassX (2017) and Lastpass (2017);
  • Do not: write passwords down and leave them lying about openly (e.g. in your desk drawer);
  • Do not: enter passwords in untrustworthy environments such as open wifi or internet cafés.

Encryption is the process of encoding digital information in such a way that only authorised parties can view it. It is especially useful when you are transmitting personal or confidential data.
When you encrypt a file, the information it contains is “translated” into meaningless code. To translate this code back into meaningful information a key is required. Attacks with ransomware such as the Locky virus ("Locky", 2023) have demonstrated that recovering information from encrypted files without the key is nearly impossible. It is therefore extremely important that you do not lose the key to decrypt your files.

Do: encrypt confidential data, especially before transmitting it online, uploading it to the cloud, or transporting it on portable devices. When working in a team, make sure that the key can be accessed by everyone who needs to access it (but only those people).
Do: ensure that you do not lose the key to decrypt your files, e.g. by keeping it in a sealed envelope in a secure location such as a safe room

Encryption software

The UK Data Service (2017c) has compiled information on encryption and offers short video tutorials demonstrating the use of different software tools to encrypt data.

Commonly used encryption software includes:

  • BitLocker (2017)
    Standard on selected editions of Windows. For the encryption of disk volumes and USB devices.
  • FileVault2 (Apple Inc, 2017)
    Standard on Apple Macs. For full disc encryption.
  • PGP (Pretty Good Privacy) (Raicea, 2017)
    There are commercial programmes (e.g. by Symantec (Symantec Corporation, 2017)) and free/open programmes (e.g. Gnu Privacy Guard (GnuPG, 2017)) available.
  • VeraCrypt (n.d.)
    Multi-platform encryption software (Windows, Mac and Linux). For full disk and container encryption.
  • Axcrypt (n.d.)
    File-level tool for Windows and MacOS with a free ‘Viewer’ decryption version for already encrypted files, and commercial, monthly-plan versions for encryption.
  • SafeHouse
    Free and commercial software versions available for Windows. Encrypts files, folders and drives.

The UK Data Service recommends using software that implements the Pretty Good Privacy (PGP) standard (see also Raicu, 2017; Lake, 2018).

To prevent your data from being manipulated or stolen, sufficient security measures to block any unwanted access to rooms and buildings or computers and networks where they are held should be in place.

Do: log and/or control access to physical sites where sensitive information is stored, e.g. with the help of key cards.
Do: use strong passwords and encryption (see above).
Do: use up-to-date virus scanners and firewalls.
Do: ensure that systems used to access data are continually updated (e.g. security updates for the operating system).

The UK Data Service (2017d) has a list of further important security measures.

Used Phones Are Full of Previous Owners’ Data: Researchers bought 20 used smartphones in four cities, and recovered thousands of photos, texts, and emails | Wadell, 2016.

Managing your data also means thinking about how to securely dispose of confidential information. Merely hitting the “delete” button on your computer or mobile device is not enough. In fact, even formatting the hard drive or doing a factory reset can leave (portions of) confidential information in place.

There are two options for secure disposal of confidential data:

  • The physical destruction of the storage medium (e.g. shredding of discs)
  • The use of software for secure erasing
    There are various software options available (UK Data Service, 2017e) that can securely delete files from hard drives. For example, AxCrypt (n.d.), Eraser (2017) and, for Windows, WipeFile (2020) are free open source file and folder shredding utilities.

The UK Data service (2017e) points out that solid-state hard disks (SSD) and USB flash drives (memory sticks) use a different technology than hard drives. Therefore, the techniques for securely erasing files are also different. The use of manufacturer-specific software is recommended. Note, though, that especially for solid state drives and USB flash drives only physical destruction is a 100% guarantee that the data cannot be recovered.

Contact the IT department and the administration of your university or institute to find out about regulations and procedures for secure destruction of confidential data.

Data security partly depends on technological and physical protection measures. However, these measures alone are not sufficient and will not adequately protect your data if you do not also address the “human factor”. This is particularly important if working collaboratively in a bigger and/or distributed team.

Protection against security breaches depends on the establishment and communication of clear rules and guidelines. Here are some points to consider when planning your data management that focus on the human/organisational dimension of data security:

Do: Invest time to draw up policies and concrete guidelines/checklists for all topics discussed in this chapter, especially:

  • Passwords: minimum requirements for password strength; management/secure storage of passwords.
  • Encryption: what types of data are encrypted for which purposes using which tools?
  • Secure data transmission and transport.
  • Secure data disposal.

Do: Restrict access to sensitive data:

Most likely, not everyone on the team needs access to all files. Determine who needs access to which types of data and handle access restrictions, e.g. with the help of passwords. In addition, create a routine to ensure you adapt authorisations in case someone leaves the team.

Do: Create awareness and keep communication going:

Errors often happen due to a lacking awareness of potential issues or threats. For example, does everyone on the team know which data is considered sensitive and why? Is everyone aware of potential risks posed by transmitting unencrypted data via email? Make sure that everyone on the team is adequately involved in discussions of data security issues and measures in place.