Battered old bike or racer

How safely do you store your data?

Photo: Guy Ackermans

Like other universities and research institutes, WUR is a popular target for Internet criminals. That is why WUR is investing in improving security for our data and raising awareness among WUR staff about the value of that data. One example is data classification. “A lot of people don’t have the incentive or right knowledge to handle data properly.”

Arvid Landwaart

Researchers realize what can go wrong if they forget to run that backup

In December last year, Internet criminals managed to infiltrate Maastricht University and make various systems inaccessible using ransomware. The university eventually paid the cybercriminals 200 thousand euros to regain access to their servers.

After the hack in Maastricht, WUR wondered whether that could happen here too. The answer was yes, says Arvid Landwaart. “This can happen to everyone, including WUR. Not in precisely the same way, but we were definitely too vulnerable.” That is why WUR is investing in additional measures to ensure data security. Arvid is the project manager for this campaign. “Such additional measures could for example be technical actions taken by FB-IT, or increasing employees’ awareness by sending internal ‘phishing’ emails. Data classification is also an important aspect in creating a security setup that is better but still affordable.”

The more expensive your bike, the more sophisticated the lock you buy. That is the metaphor that Arvid uses to explain what data classification involves. “To keep our data properly secure, whether it’s financial, HR-related or research results, you need to know what value that data has and how bad the consequences would be if the data became unusable or was made public.” Arvid says that at the moment everything is under lock and key. “Staying with the bike metaphor, that’s fine for the ultra-fast racing bike. But a battered old bike can be kept in the shed where you can get at it easily. Classifying our data lets us make distinctions in the level of security required for the data.”

Risk of reputational damage

In any organization, the information must comply with the requirements of confidentiality, integrity (it must be complete and correct) and availability (the CIA triad). But does that apply to all research data? WUR has quite a few different kinds of data. For example, WUR performs certain statutory research tasks [known as wettelijke onderzoekstaken, or WOT] for the government. If that WOT data ended up in the public domain, it would be headline news and lead to considerable reputational damage. But WUR also performs subsidized research that is ultimately made public. If it turns out that unintended changes can be made to this data, that could also be damaging. But it often doesn’t need to be kept in the same ‘safe’, as it were, as the WOT data.”

Photo: Anne Reinke

To get a picture of this and classify the various research datasets, workshops are being organized with the people responsible for the data, such as researchers. Arvid: “That not only gives us a clear overview of all the WUR data but also encourages the workshop participants to think about the value of that data. We get an answer to the question of whether we are handling that data in the right way. As a result, researchers and other staff responsible for data realize what can go wrong if they forget to run that backup or if they put the data on a USB stick. That awareness is crucial. A lot of people realize the data is important but they don’t have the incentive or right knowledge to handle it properly.”

One example of how to handle important data correctly is the electronic lab journal. Electronic lab journals let you record and process the information, data calculations, results and reports for your experiments in the lab, greenhouse or field in a structured way.

The more expensive your bike is, the more sophisticated the lock you buy

Photo: Guy Ackermans

In the past, laboratory technicians, researchers and analysts would make notes of their experiments in notebooks and on memo pads. Later, the data was spread more widely as it was processed and stored on PCs, laptops and various data carriers such as floppy disks, USB sticks and external hard drives. A recurring problem was the loss of research data when students and visiting academics took their notes and relevant data with them after completing their internships or research projects.

This was why the Bio-engineering chair group decided several years ago to start an electronic lab journal in conjunction with several other chair groups, business units and the WUR library. Since 2017, Jacques Davies has been the functional manager of ELabJournal/Inventory in the Plant Sciences Group, home of the Bio-engineering department. Jacques has experienced the loss of important data first hand as a researcher. “You lend someone your lab journal, then you want to look something up and can't remember who has it. Or that person has given the lab journal to someone else.” The chances of getting it back then are small, which makes checking or repeating an experiment tricky.

Easy to look up the data again

According to Jacques, the biggest advantage of storing data in an electronic lab journal is that it is easy to look up the experimental data and analyses again, and co-workers can also assess and use the data. “This exchangeability is important in making sure experiments are reliable and reproducible in follow-up studies, and for the continuity in an analysis lab.”

The electronic lab journal is secure: after the Maastricht University hack, ELabJournal/Inventory was transferred to the WUR network. Furthermore, a WUR server is used for data storage, which keeps the data accessible and available. “In addition, the data is backed up every 24 hours so you never lose more than one day’s work.”

Jacques Davies

More and more scientists within WUR are using ELabJournal

Classification can be learned

Arvid and his team are currently conducting workshops with all the groups. In those workshops, they discuss the impact of various scenarios – from the worst case to more minor situations – with the data owners. The impact is divided into four categories: negligible, some, serious and highly disruptive (see table) . To date, about 10 sessions have been held with employees with data responsibilities and another 10 are planned. The aim of these sessions is to classify all the WUR data. This will be worked out in a dedicated tool. Data owners will then be able to use that tool to review the data situation annually. Is this information still correct? Has anything changed or been added?

More info? Contact Arvid Landwaart.

Labjournal als datamanagementplan

PhD students have to write a data management plan that explains how they will handle the data and research results that they produce. If they use ELabJournal/Inventory, much of that required data management plan is already filled in for them. Katharina Hanika, a PhD student in Plant Breeding & Phytopathology, is due to defend her thesis on breeding tomato plants for resistance in December this year. She has acquired a lot of experience in working with ELabJournal and has run various workshops on the topic for colleagues internally and during a WUR data event. She talks about what the software has meant for her on the ELabJournal website.

It is therefore hardly surprising that more and more scientists within WUR are using ELabJournal. Jacques: “At present, about 20 chair groups and business units within WUR use it. I’ve counted nearly 700 currently active accounts. If staff and students who have left are included, over 1100 accounts have been configured.” Education Student Affairs (ESA) is now investigating how ELabJournal/Inventory could be incorporated in the teaching programme. As part of this, ESA is getting into contact with staff who teach practicals and would be willing to organize classes with ELabJournal/Inventory.

Arvid Landwaart calls the electronic lab journal a good example of how to handle research data responsibly. Arvid: “The data storage complies with the requirements of availability and integrity (the data is correct and complete). And the user can choose the degree of confidentiality. ELabJournal is also on the list of systems that are kept highly secure because we know how valuable the data is in this ELabJournal.”

FB-IT can use data classification to take the appropriate security precautions for the various datasets. In the future, Arvid hopes that the people responsible for the data themselves will say how valuable their data is, thereby classifying it. Arvid: “To get back to the bike metaphor: data classification means the person responsible for that data says what kind of a bike they have and how it should be protected. FB-IT can then provide the appropriate lock or help determine which lock would be best for that bike.”