Scientists must be more proactive in encouraging good cybersecurity practices.
Most scientists, like most Internet users, probably think of cybercrime as a misfortune that happens to others — to banks, say, or to online retailers who are careless with customers' credit-card information, or to individuals who fall for a get-rich-quick e-mail from Nigeria.
But the unsettling truth is that academic institutions are among hackers' prime targets. Not only do campuses tend to be richly supplied with personal computers, servers and other computing resources, but they are connected to the world by high-bandwidth networks and populated by inexperienced, casual and sometimes reckless students (see page 1260). This wide-open computational environment is ripe for being co-opted, whether it is to send out spam, run illegal file-sharing sites or launch further cyberattacks.
Worse, from researchers' point of view, is that much — if not all — of their hard-won laboratory data live in that environment, where the information is vulnerable to theft and malicious damage. Computer security has moved up the agenda of universities and other research institutions over the past decade, and most places now have teams of professionals to monitor suspicious traffic and maintain a safe environment.
But such structured, centralized efforts can result in controls that raise scientists' hackles and violate their impulse to do things their own way. As a result, too many researchers set up their own computer systems and ignore any security help the university's professionals can give them.
This attitude is unhelpful, bordering on reckless. University information-technology administrators do need to manage things with as light and as unobtrusive a hand as possible — for example, by making sure that researchers retain the freedom to use the software they choose. But laboratories, especially the smaller ones, need to avail themselves of the professionals' skills as much as possible.
Larger research projects with heavy data needs may have the resources to exercise more autonomy. But even so, it is imperative that such projects put a qualified person in charge of cybersecurity who can take sole responsibility for keeping up with the fast-moving requirements that security issues present.
Large group or small, the ultimate responsibility for protecting data and other resources has to rest with the laboratories that own them. Every lab director must be aware of the risks, and must treat cybersecurity with the same respect as laboratory safety, patient safety and scientific integrity.
About this article
Cite this article
Security first. Nature 464, 1246 (2010). https://doi.org/10.1038/4641246a