Marc is a researcher who is travelling to an international conference abroad where his research will be discussed. Marc brought his computer with him and a USB key containing information related to his work. During the conference, he made contact with several international partners, where he exchanged information and data by connecting his USB to colleagues' devices. When Marc returned from the conference, he connected the same USB key to his institution's network.
Risks to Marc and the Institution
When connected to a non-approved device, the contents of Marc's USB key could have been copied, resulting in:
- The loss of research data or information;
- The loss of proprietary research intended either for publication in a peer reviewed journal, potential commercialization, or other uses; and
- Depending on the nature of the research data, the potential contravention of research ethics resulting from the breach of potentially confidential information from research partners or research participants.
The USB key could also have been infected with one or more malware payloads, some of which are not always detectable by the anti-malware programs installed on a personal computer. For example:
- Spyware is generally designed to collect and transmit information.
- Malware packages are designed to shut down or even destroy systems when activated.
- Ransomware can result in financial payments in order to recover files that are locked away or encrypted by the perpetrator.
When the USB key was inserted in a device connected to the institution's network, the payload could have been activated or could have replicated itself to other computers or connected networks.
While a colleague may not have been deliberately trying to steal or compromise data, his or her device could have been infected with spyware or malware without their knowledge.
Possible Consequences for Marc
If Marc's data or findings were misappropriated, recognition for the research work could be misattributed. The ability for him to publish and the potential for commercialization may be negatively affected. This situation could lead to tarnished reputation and negative impacts on the careers for all who are involved in the project.
Moreover, the incident may contravene intellectual property or confidentiality clauses that are part of Marc's project and funding, resulting in disciplinary measures.
Possible Impacts for the Institution
A cyber security breach of the institution's networks could seriously impact its IT resources for a period of time or, depending on the purpose of the intrusion, go undetected in the network, and lead to ongoing loss of data.
If confidential or proprietary information was misappropriated from the institution, it could face serious damage to its reputation. Ransomware could lead to financial losses and other consequences if the institution attempts to recuperate the information, or to permanent loss of access to holdings or repositories, if the ransom is not paid.
- Before leaving your home institution, think ahead about what data may need to be shared, as well as with whom, and in what manner it may need to be shared. Do not hesitate to consult cyber security resources to determine the best course of action, and/or consult with travel.gc.ca for warnings about specific country destinations.
- Limit the transportation of data, including on your laptop, to only necessary and/or public information.
- When travelling with information, put sensitive information on a secure (or encoded) USB key.
- Keep storage devices secure at all times, and do not connect them to untrusted devices.