Last updated: December 16, 2025
Research data is a valuable target for cyber threats. Whether you're working on campus, at home, or travelling internationally, these security practices form the foundation of protecting your work and Lakehead University's digital assets.
⚡ Quick Start: 7 Essential ActionsNew to research security? Start here. These seven actions provide the strongest protection for the least effort.
|
🍁 Data Location Considerations: Certain research data may need to remain in Canada – examples include defence contracts, Controlled Goods, provincial health datasets, or where ethics approval specifies Canadian storage. Before storing sensitive research data on cloud services, consider whether your funding agreement, REB approval, or data classification requires Canadian-hosted solutions. Contact the Research Security and Data Management Specialist for guidance.
On This Page
Foundational (Do First)
Protecting Your Data
Device & Network Security
Recognizing & Responding to Threats
Advanced (Sensitive Research)
Important: These security measures are especially critical when travelling internationally or working with sensitive research data. Implement them before your next research trip.
Weak or reused passwords are one of the most common ways attackers gain access to accounts. A single compromised password can expose your research data, email, and university systems — especially if you use the same password across multiple accounts. The Canadian Centre for Cyber Security recommends (opens in new window) using passphrases or complex passwords of at least 12 characters.
Use Passphrases: A passphrase is a sequence of mixed words (with or without spaces) that's easier to remember than random characters. Your passphrase should be at least 4 words and 15 characters. Example: Scan a room and describe what you see — "Closet lamp Bathroom Mug" becomes a strong, memorable passphrase.
Password Best Practices
All Lakehead systems (myEmail, myCourseLink, myInfo, WebAdmin, Library Proxy) require passwords that meet the Strong Password Standard (opens in new window). For maximum security:
- Minimum 12 characters — The Canadian Centre for Cyber Security recommends at least 12 characters. Longer is always better.
- Mixed case + numbers + symbols — Use uppercase (A-Z), lowercase (a-z), digits (0-9), and special characters (!@#$%^&*)
- Use a passphrase — String together 4+ random words ("correct-horse-battery-staple")
- Create an acronym — Turn a memorable phrase into a password. "My jersey number when I played soccer was 27!" becomes "Mj#wIpsw27!"
- Never reuse passwords — Use a different password for each account, especially sensitive ones like banking
Common Mistakes to Avoid
- No easily guessed passwords — Avoid "password", "let me in", "1234", or character substitutions like "p@ssword"
- No personal details — Don't use birthdays, hometowns, pet names, or information from social media
- Never use "Lakehead" — Don't include "Lakehead", "LU", "Thunderwolves", or any variation in your password — attackers target these first
- No common expressions — Avoid song lyrics, movie titles, or famous quotes
- No vendor defaults — Always change passwords assigned by hardware or software vendors
- Don't enter passwords on public Wi-Fi — Wait until you're on a secure network or use VPN
- Never share passwords — Don't give out passwords online, over the phone, or even to family
The Problem with Password Reuse: Attackers use "brute force" (trying common passwords) and "rainbow tables" (precompiled password lists) to crack short or simple passwords. Shorter passwords are much easier to hack. Using lengthy passphrases or complex passwords makes it significantly harder for threat actors to access your accounts.
Data breaches happen constantly, and your email address may already be exposed. Use this free service to check:
➤ Have I Been Pwned? (opens in new window) — Enter your email to see if it appears in known breaches.
If your email shows up, change the password for that account immediately — and any other accounts where you used the same password.
Get Future Alerts: Sign up for "Notify Me" (opens in new window) to receive alerts about future breaches.
A password manager stores all your passwords securely and generates strong, unique passwords for each account. You only need to remember one master password.
How it works: The manager stores credentials in an encrypted vault, auto-fills passwords on websites, generates random strong passwords, and syncs across all your devices.
Trusted password managers:
- Bitwarden (opens in new window) — Free, open-source, highly regarded
- 1Password (opens in new window) — Popular paid option with excellent usability
- Google Password Manager (opens in new window) — Built into Chrome (already in your Lakehead Google account)
Next Step: Now that you have strong passwords, add a second layer of protection with Two-Factor Authentication (Section 2).
Two-factor authentication (2FA) adds a second layer of security beyond your password. Even if someone steals your password, they cannot access your account without the second factor. The Canadian Centre for Cyber Security (opens in new window) strongly recommends 2FA for all accounts.
Important — Three Areas to Secure: You need to enable 2FA in multiple places to be fully protected:
- 1. Duo Security — Protects all Lakehead Single Sign-On (SSO) services (myInfo, D2L, library resources, and any software that uses your Lakehead login)
- 2. Google 2-Step Verification — Protects your Lakehead Google account (Gmail, Drive, Calendar) separately from Duo
- 3. Other Software & Services — Manually enable 2FA on any other accounts you use (personal email, banking, social media, research tools)
How SSO Works: When you log into any service or software using your Lakehead account credentials (Single Sign-On), Duo Security will prompt you for 2FA. This includes D2L, library databases, Microsoft 365, and many research tools. If you see a Lakehead login page, Duo is protecting that service.
A. Duo Security (Lakehead SSO Systems)
Lakehead uses Duo Security for two-factor authentication on all university Single Sign-On (SSO) systems. Any service or software that authenticates through your Lakehead account is protected by Duo. You have three options depending on what device you want to use:
- • Built-in Computer: Windows Hello (fingerprint, face, or PIN — recommended if available)
- • Phone: Duo Mobile app
- • USB Key: YubiKey (physical security key)
Configure at least two authentication methods to avoid being locked out if you lose a device.
- 1. Go to lakeheadu.login.duosecurity.com/devices (opens in new window)
- 2. Login with your Lakehead username and password
- 3. Accept the 2FA enrolment terms and click Submit
- 4. Click Next through the Welcome screens
- 5. Select your authentication method:
- • Windows Hello — Uses your computer (recommended if available)
- • Duo Mobile — Uses your phone
- • Security Key — Uses a YubiKey (USB)
Windows Hello uses security features built into your Windows computer — no phone or external device needed. If your computer has a fingerprint reader, facial recognition camera, or you've set up a Windows PIN, you can use it as your second factor.
First, ensure Windows Hello is set up on your computer:
- 1. Go to Settings → Accounts → Sign-in options
- 2. Set up at least one Windows Hello method:
- • Fingerprint recognition (if your device has a fingerprint reader)
- • Facial recognition (if your device has a Windows Hello camera)
- • PIN (available on all Windows devices)
Then, add Windows Hello to Duo:
- 1. Go to lakeheadu.login.duosecurity.com/devices (opens in new window)
- 2. Click Add a device
- 3. Select Windows Hello (marked as "Recommended" if your computer supports it)
- 4. Authenticate with your fingerprint, face, or PIN when prompted
- 5. Name the device (e.g., "Work Laptop - Windows Hello")
Why use Windows Hello? No phone required, no USB key to carry. Just use your fingerprint, face, or PIN when Duo prompts you. Fast and convenient if you primarily work from one computer.
Important: Windows Hello only works on the specific computer where it's registered. Set up Duo Mobile as a backup for when you're on other devices or travelling.
Duo Mobile is a free app for your smartphone. When you log in, you'll receive a push notification to approve — or you can use a one-time code if you're offline.
Download Duo Mobile: Android (opens in new window) | iOS (opens in new window)
- 1. Select Duo Mobile during setup
- 2. Open the app on your phone and press + Add
- 3. Select Use QR code and scan the code on your computer screen
Travel Tip: Duo Mobile works offline using one-time codes — ideal for international travel when you may not have cell service.
A YubiKey is a small physical security key that plugs into your computer's USB port. When Duo prompts you, simply touch the key to authenticate.
- 1. Select Security Key during setup
- 2. Plug your YubiKey into a USB port and click OK
- 3. Touch the gold contact on the key when prompted
Interested in a YubiKey? Contact the TSC Desktop team (opens in new window) to see if they have any available.
Need help? See the full Duo Setup Guide (opens in new window) or contact TSC (opens in new window).
B. Google 2-Step Verification (Lakehead Google Account)
Your Lakehead Google account (@lakeheadu.ca) has its own 2-Step Verification that is separate from Duo.
- 1. Go to myaccount.google.com/security (opens in new window) (sign in with @lakeheadu.ca)
- 2. Under "Signing in to Google," click 2-Step Verification
- 3. Click Get Started and re-enter your password
- 4. Choose your method: Google Prompts (recommended), Security Key, or Authenticator App
- 5. Follow the prompts to complete setup
- 6. Add a backup method (recovery phone or backup codes)
Save Your Backup Codes: Google will offer backup codes during setup. Save these somewhere secure — they can unlock your account if you lose your phone.
C. Other Software & Services
Beyond Lakehead systems and Google, you should enable 2FA on every other account that supports it. This includes personal email, banking, social media, cloud storage, and any research tools or databases you use.
Common Services with 2FA Options
- Microsoft/Office 365 — Settings → Security → Two-step verification
- Dropbox — Settings → Security → Two-step verification
- GitHub — Settings → Password and authentication → Two-factor authentication
- Apple ID — Settings → [Your name] → Password & Security → Two-Factor Authentication
- Banking & Financial — Check your bank's security settings (most now require 2FA)
- Social Media — Facebook, LinkedIn, Twitter/X all offer 2FA in security settings
Be Secure Everywhere: Take time to review all your accounts and enable 2FA wherever available. Check 2fa.directory (opens in new window) to see if a specific service supports two-factor authentication.
Data protection involves multiple layers: encrypting devices and files, transferring data securely, and using end-to-end encryption for sensitive communications. This section covers all aspects of keeping your research data safe.
When Do You Need Extra Protection?
- Device encryption — Always (protects if laptop is stolen)
- File encryption — When sharing sensitive files via cloud services
- E2EE communications — For sensitive conversations, especially when travelling
A. Protect Your Devices
Full-disk encryption ensures that if your laptop is lost or stolen, your data cannot be accessed without your password. This is essential for protecting research data.
- 1. Open Settings → Privacy & security → Device encryption
- 2. Turn on Device encryption (or search for "BitLocker" and enable it)
- 3. Save your recovery key — Print it or save to your Lakehead Google Drive
Important: If you lose your recovery key, you cannot access your data if something goes wrong. Save it somewhere secure but accessible to you.
- 1. Open System Settings → Privacy & Security
- 2. Scroll to FileVault and click Turn On
- 3. Choose how to unlock: iCloud account or recovery key
- 4. If using recovery key, save it somewhere secure
Note: On newer Macs with Apple Silicon (M1/M2/M3), encryption is enabled by default. FileVault adds an extra layer by protecting the encryption key with your login password.
External drives should be encrypted, especially if they contain research data.
Windows:
- 1. Right-click the drive in File Explorer → Turn on BitLocker
- 2. Choose Use a password to unlock the drive
- 3. Save the recovery key, then encrypt
Mac:
- 1. Right-click the drive in Finder → Encrypt
- 2. Set a password and hint
- 3. Wait for encryption to complete
Cross-Platform Note: BitLocker-encrypted drives may not be readable on Mac. If you need to use the drive on both, consider using VeraCrypt (opens in new window) (free, works on both platforms).
B. Protect Files in the Cloud
Google Drive encrypts files during transfer and storage, but Google (and potentially US authorities under the CLOUD Act) can access the contents. For sensitive research files, add your own encryption before uploading.
Encrypt files before uploading to Google Drive if they contain:
- • Human subjects data or identifiable personal information
- • Unpublished research findings
- • Industry partner confidential information
- • Grant applications or proposals in progress
- • Anything covered by an NDA or data sharing agreement
For everyday files (lecture notes, general correspondence, non-sensitive drafts), Google Drive's built-in encryption is sufficient.
Choose the method that matches your situation:
📁 Windows Only — 7-Zip (Best for Most Users)
Download 7-Zip (opens in new window) — Free, open-source, creates AES-256 encrypted archives.
- 1. Right-click file(s) → 7-Zip → Add to archive...
- 2. Set Archive format to 7z
- 3. Under Encryption, enter a strong password
- 4. Set Encryption method to AES-256
- 5. Click OK, then upload the .7z file to Google Drive
- 6. To decrypt: Download and right-click → 7-Zip → Extract Here, enter password
📁 Cross-Platform — Password-Protected ZIP (Mac to Windows or Vice Versa)
Use this method when sharing between Mac and Windows users. Creates a .zip file anyone can open.
On Mac (Terminal):
- 1. Open Terminal (Applications → Utilities → Terminal)
- 2. Type:
zip -er ~/Desktop/encrypted.zipthen drag your file/folder into the Terminal window - 3. Press Enter
- 4. Enter a password when prompted (you won't see it as you type)
- 5. Re-enter password to verify
- 6. Find
encrypted.zipon your Desktop - 7. Upload to Google Drive and share the password separately
On Windows (7-Zip):
- 1. Right-click file/folder → 7-Zip → Add to archive...
- 2. Set Archive format to zip (instead of 7z)
- 3. Enter password under Encryption
- 4. Click OK, then upload to Google Drive
To Decrypt:
Download the .zip file and double-click it. Enter the password when prompted. Works on both Windows and Mac without additional software.
📄 Office Documents Only (Word, Excel, PowerPoint)
Microsoft Office has built-in AES-256 encryption:
- 1. Open your document in Word, Excel, or PowerPoint
- 2. Go to File → Info → Protect Document → Encrypt with Password
- 3. Enter a strong password and click OK
- 4. Save the file, then upload to Google Drive
- 5. To decrypt: Download and open the file — enter password when prompted
Sharing the Password Securely:
Never send the password in the same email or message as the file link. Use a separate channel:
- • Best: Phone call or Signal message
- • Acceptable: Separate email (not in the same thread as the file)
- • In person: Tell them directly
Remember: If you lose the password, the files cannot be recovered. Store passwords securely using a password manager.
C. Protect Files You're Sharing
Good News: If you share files using email attachments or Google Drive, your transfers are already encrypted in transit. You don't need special tools for everyday file sharing.
You need secure file transfer tools (SFTP) when uploading to research servers or computing clusters, transferring large datasets, or working with servers that require direct file access.
Recommended tools:
- Windows: WinSCP (opens in new window) — Two-panel drag-and-drop interface
- Mac: Cyberduck (opens in new window) — Simple Finder-like interface
To connect:
- 1. Open the SFTP application
- 2. Click New Connection
- 3. Select SFTP as the protocol
- 4. Enter server address, username, and password
- 5. Click Connect
- 6. Drag files to transfer
Important: Always choose SFTP, not FTP. Regular FTP sends your password and files without encryption.
D. Protect Your Communications
End-to-End Encryption (E2EE) ensures that only you and your recipient can read messages or access content. Not even the service provider can see the content.
For sensitive conversations with collaborators, especially when travelling or communicating outside institutional systems:
- Signal (opens in new window) — Gold standard for secure messaging. Free and open-source. Works offline.
- WhatsApp — Uses Signal's encryption protocol. Convenient if collaborators already use it.
Lakehead's Zoom allows users to enable End-to-End Encryption (E2EE) for meetings that require extra security. When E2EE is enabled, the encryption keys are generated on participants' devices — not Zoom's servers — so even Zoom cannot access your meeting content.
Step 1: Enable E2EE in Your Zoom Settings
- 1. Sign in to the Zoom web portal
- 2. Go to Settings (Left Sidebar) → Meeting (Top Menu) → Security (Nested Left-Sidebar)
- 3. Scroll to "Allow use of end-to-end encryption" and toggle it ON
- 4. Under Default encryption type, leave as "Enhanced encryption" (recommended for everyday meetings)
Step 2: Schedule an E2EE Meeting
- 1. When scheduling a new meeting, look for the Encryption option near the bottom of the Meeting Details page
- 2. Select "End-to-end encryption" instead of "Enhanced encryption"
- 3. Schedule the meeting as normal
Verifying E2EE is Active
Look for the green shield icon with a checkmark in the top-left corner of your meeting window. Click it to view security codes that participants can verify match.
E2EE Limitations: When E2EE is enabled, these features are disabled:
- Cloud recording
- Live transcription & AI Companion features
- Zoom Whiteboard
- Streaming
- Polling
- Join before host
- Browser joining (participants must use Zoom app)
- Phone dial-in participants will NOT be E2EE protected
- Zoom Rooms & H.323/SIP devices — Cannot connect to E2EE meetings
Practical note: E2EE works well when everyone joins from laptops or mobile devices. It won't work if some participants are in a boardroom or classroom using Zoom Room equipment.
Learn more: Zoom E2EE FAQ | Full setup guide & limitations
Recommendation: Use E2EE only for sensitive meetings where extra protection is needed. For everyday meetings, "Enhanced encryption" is sufficient and preserves all Zoom features.
Remember: Encryption protects files while stored and in transit. Also back up your data — encryption doesn't protect against hardware failure.
A reliable backup strategy protects your research from hardware failure, theft, ransomware, or accidental deletion. Follow the 3-2-1 rule to ensure you never lose important work.
The 3-2-1 Backup Rule
- 3 copies of your important data
- 2 different storage types (e.g., cloud + physical drive)
- 1 copy offsite (separate location from your primary workspace)
| Option | Storage | Notes |
|---|---|---|
| Google Drive | 100GB | Your Lakehead account (US-hosted) |
| Nextcloud | 100GB | Canadian-hosted, request through Digital Research Alliance (opens in new window) |
| External Drive | Unlimited | You provide; encrypt before use |
Total cloud storage available: 200GB — For larger datasets, you'll need to rely more on external drives.
| Copy | Where | How Often |
|---|---|---|
| Working copy | Your laptop | Daily work |
| Backup 1 | Google Drive or Nextcloud | Upload weekly |
| Backup 2 | Encrypted external drive | Update weekly, store in locked cabinet |
This gives you: 3 copies, 2 storage types (cloud + physical), and 1 offsite (cloud).
Google Drive for Desktop syncs files between your computer and the cloud. This is convenient, but it changes your backup math.
Important: When sync is enabled, your laptop and Google Drive contain the same files. If you delete something locally, it deletes from Google Drive too. This counts as one copy, not two.
If you use Google Drive for Desktop, your backup strategy becomes:
| Working copy | Laptop + Google Drive (synced together) |
| Backup 1 | Nextcloud (upload manually) |
| Backup 2 | Encrypted external drive |
If you want Google Drive as a backup: Don't install the desktop app. Upload files manually through your browser instead.
What to buy:
- Size: 1TB or larger
- Type: Portable SSD (faster, more durable) or portable HDD (more affordable)
- Connection: USB 3.0 or USB-C
Keep it secure:
- Encrypt the drive before storing data — see Encrypt USB Drives & External Storage
- Store in a locked cabinet in your office when not in use
- Don't leave it plugged in continuously (protects against ransomware)
Ransomware Protection: Ransomware encrypts all connected drives. Keeping your backup drive unplugged and stored separately means you can recover without paying.
Schedule reminders:
- Set a weekly or bi-weekly calendar reminder: "Back up research files"
- Monthly: "Test backup — try opening a file from your backup drive"
Key moments to back up:
- Before travel
- Before major analysis
- At project milestones
- End of semester
Optional — Automate external drive backups:
- Windows: File History can automatically back up when your drive is connected (Settings → Update & Security → Backup)
- Mac: Time Machine does the same (System Settings → General → Time Machine)
Some research data must remain in Canada. This includes:
- Certain ethics approvals that specify Canadian storage
- Provincial health data
- Indigenous data governance agreements
- Some federal grant requirements
Use Nextcloud (through the Digital Research Alliance) instead of Google Drive for these files — Nextcloud servers are located in Canada.
Not sure if your data requires Canadian hosting? Contact the Research Security and Data Management Specialist.
Simply deleting files or formatting a drive does not remove your data — it can be recovered with basic tools. Before disposing of, donating, or repurposing any storage device, you must securely erase all data.
Windows — Eraser (opens in new window) (TSC-recommended):
- 1. Download and install Eraser
- 2. Right-click the file(s) you want to erase
- 3. Select Eraser → Erase
- 4. To wipe previously deleted files, use Erase Unused Space
Mac — Disk Utility:
- 1. Open Disk Utility
- 2. Select the drive in the sidebar
- 3. Click Erase
- 4. Click Security Options
- 5. Choose the number of passes (more = more secure)
- 6. Click Erase
SSD Limitation: SSDs use "wear leveling" which distributes data across the drive — traditional overwrite methods can't guarantee complete erasure. For highly sensitive data on SSDs, physical destruction may be required. Contact TSC for secure disposal services.
A VPN creates a secure encrypted connection and lets you access campus resources from anywhere. Lakehead University uses FortiClient VPN.
When to Use the VPN
- Always when using public Wi-Fi (airports, hotels, cafes, conferences)
- Always when travelling internationally
- When accessing campus resources (library databases, internal systems, network drives)
- When handling sensitive research data remotely
Download FortiClient: Windows & Mac (opens in new window) | Android (opens in new window) | iOS (opens in new window)
Windows/Mac Configuration:
- 1. Launch FortiClient and click Configure VPN
- 2. Select SSL-VPN
- 3. Enter: Connection Name: LU SSL | Remote Gateway: vpn.lakeheadu.ca | Port: 10443
- 4. Click Apply, then enter your Lakehead credentials to connect
Mobile: Enter server address vpn.lakeheadu.ca and your Lakehead credentials.
Windows Users: "Power saving mode" can disconnect your VPN. Disable this feature or use a wired connection for long sessions.
Before You Travel: Test your VPN from a non-campus network. Some countries block VPNs — check travel advisories.
Need help? See the full FortiClient VPN setup guide (opens in new window) or contact TSC (opens in new window).
A stolen or unattended laptop can expose all your research data, saved passwords, and university access — even with strong passwords.
Physical Security Best Practices
- Enable automatic screen lock — Quick lock: Windows Win + L | Mac Control + Command + Q
- Never leave devices unattended — Not in coffee shops, libraries, or conference venues
- Keep devices in sight when travelling — Carry laptops in hand luggage
- Be aware at conferences — Theft at academic conferences is common
- 1. Report immediately to TSC (opens in new window)
- 2. Change your passwords — Especially Lakehead account and saved accounts
- 3. Enable remote wipe — Windows: Find My Device | Mac: Find My | Mobile: Find My iPhone/Android
- 4. File a police report — Especially for university-owned equipment
- 5. Notify your supervisor if research data was on the device
Outdated software is one of the easiest ways for attackers to compromise your system. Security updates patch known vulnerabilities — delaying updates leaves you exposed.
Enable Automatic Updates
- Windows: Settings → Windows Update → Turn on automatic updates
- Mac: System Settings → General → Software Update → Enable automatic updates
- Browsers: Chrome, Firefox, Edge update automatically — don't ignore restart prompts
Simple Rule: When your computer asks you to restart for updates, do it. Don't click "Remind me later" repeatedly.
The software you install can be a security risk. Malicious software can steal your data or give attackers access to your system. Always use software from trusted sources.
TSC-Approved Software Resources
- Software Available (opens in new window) — SPSS, MATLAB, ArcGIS Pro, NVivo, and more
- TSC Recommended Software (opens in new window) — Vetted free tools for common tasks
Avoid Untrusted Software: Software from unknown websites, torrent sites, or unofficial sources may contain malware — even if it appears to work normally. Avoid pirated software.
Phishing is the #1 way attackers gain access to university systems. These messages use fear or urgency to trigger an impulsive reaction, often luring you to fraudulent websites that mimic legitimate ones. For detailed guidance, see Lakehead's Phishing Guide (opens in new window) and Safe Computing Guidelines (opens in new window).
Email Spoofing: Attackers can alter email headers to make messages appear to come from @lakeheadu.ca addresses. Always check the actual sender address (not just the display name) and report suspicious emails to the TSC Helpdesk (opens in new window).
Red Flags: Phishing vs Legitimate Email
- Greetings — Legitimate emails are personalized; phishing may use generic or strange greetings
- Spelling & grammar — Phishing emails often contain errors
- Urgency or threats — "Your account will be suspended" or "Immediate action required"
- Hidden links — Hover over links to see the actual URL before clicking
- Personal info requests — Legitimate organizations don't ask for passwords via email
- Sender address — Check if the email address matches the sender's claimed identity
- Fake conference invitations — Impersonating legitimate conferences
- Journal submission scams — Fake peer review requests or publication fees
- Collaboration requests — Emails appearing to be from other institutions
- IT impersonation — "Your mailbox is full" or "Verify your account"
- Grant scams — Fake funding opportunities requesting information
If you receive a phishing attempt, TSC wants to know about it. Follow these steps:
- 1. Don't click any links or download attachments
- 2. Download the email as .eml file: Click the "More" icon (⋮) beside Reply → Select Download message
- 3. Send to TSC: Email the .eml file to spam@lakeheadu.ca
- 4. Report in Gmail: Click the "More" icon (⋮) → Select Report phishing
- 5. Delete the email after reporting
If you clicked a link or entered credentials, see Section 12: Incident Reporting immediately.
Phishing sites mimic legitimate websites. Look for these warning signs:
- No HTTPS — Missing padlock icon or "https://" in address bar
- Misspelled domain — "lakeheadu.ca" vs "lakehead-u.ca" or "lakeheadu.com"
- Broken functionality — Links that don't work or go to different sites
- Unusual requests — Asking for information the real site already has
- Browser errors — Certificate warnings or loading errors
Tip: When in doubt, don't click links in emails. Instead, go directly to the website by typing the address in your browser.
Why 2FA Matters: With Two-Factor Authentication enabled, even if you enter your password on a phishing site, attackers can't access your account without your second factor.
For more information, visit the RCMP Canadian Anti-Fraud Centre (opens in new window).
USB drives can carry malware that infects your computer the moment they're plugged in. Attackers deliberately leave infected drives in public places.
The Risk: A USB drive can execute malicious commands instantly or run malware automatically when connected. This attack is so effective that it's used by nation-state actors targeting researchers.
USB Safety Rules
- Never plug in USB drives you find — In parking lots, conference venues, or anywhere
- Be cautious with conference swag — Free USB drives may not be safe
- Use your own trusted devices — Don't let them out of your control
- Prefer cloud sharing — Use Google Drive or email instead of physical drives
If something goes wrong — or you think something might have — report it. Quick reporting allows TSC to contain damage, protect others, and help you recover.
The Rule: When in doubt, report. There's no penalty for reporting something that turns out to be nothing. There can be serious consequences for not reporting something real.
- Clicked a suspicious link or opened a suspicious attachment
- Entered credentials on a website you now suspect was fake
- Lost or stolen device (laptop, phone, USB drive)
- Unusual account activity — logins you don't recognize, emails you didn't send
- Unexpected software or pop-ups
- Accidentally shared sensitive data to wrong recipient
- Anything that seems "off" — trust your instincts
How to Report
IT security incidents:
- TSC Helpdesk: Contact TSC (opens in new window) or submit a ticket (opens in new window)
- Phishing: Forward to spam@lakeheadu.ca
Research security concerns:
AI tools like ChatGPT, Microsoft Copilot, Google Gemini, and Claude are increasingly used in research. However, these tools pose significant data security risks that researchers must understand.
Critical Warning: When you input data into most AI tools, that data may be stored on foreign servers, used to train future AI models, and potentially accessible to the service provider. Assume anything you put into an AI tool could become public.
What NOT to Put in AI Tools
- Unpublished research data or findings — Your competitive advantage disappears if in a training dataset
- Grant applications — Contains your research plans and institutional information
- Human subjects data — Even "anonymized" data may be re-identifiable
- Proprietary information from industry partners — May violate NDAs
- Sensitive technology research — Anything in STRAC-designated areas
- Student records or personal information — Violates FIPPA
- Code containing credentials or API keys
Most major AI tools process data on US servers. This creates issues with:
- US legal jurisdiction — Data subject to US government access requests (CLOUD Act)
- Grant compliance — Many federal grants require data to remain in Canada
- Indigenous data governance — May prohibit foreign data processing
- STRAC requirements — Sensitive technology research has strict protocols
- 1. Would I post this on a public website? If not, don't put it in an AI tool.
- 2. Does my grant have data residency requirements?
- 3. Is this covered by an NDA or confidentiality agreement?
- 4. Does this involve human subjects?
- 5. Is this in a STRAC-designated sensitive technology area?
- 6. Could this harm someone if it became public?
Safe Uses for AI Tools: General concepts, brainstorming without specifics, checking grammar on non-sensitive text, learning programming syntax. Treat them like a public conversation.
Questions about AI tool use? Contact the Research Security and Data Management Specialist for guidance.
Need Help?For assistance with any of these cybersecurity practices: TSC Helpdesk: Contact TSC Support (opens in new window) Research Security: Research Security and Data Management Specialist |