Tuesday, November 4, 2025

When we think about cybersecurity, most of us picture external hackers trying to break in. But some of the most significant incidents begin with trusted individuals inside our community, often unintentionally. 

These incidents don’t always involve malicious behavior. More often they happen because someone tried to help a colleague in a hurry, shared information the wrong way, or simply didn't recognize a risky situation. As we trust and collaborate with colleagues, it is easy to overlook how everyday actions can open the door to serious consequences. 

The human side of risk

What makes these incidents so challenging is that they often stem from honest mistakes. 

  • A worker saving sensitive research data to a personal USB drive.
  • A staff member forwarding confidential documents to a personal email to work from home.
  • A researcher sharing research data with unapproved external partners without realizing it falls under export control rules.

These ordinary actions can have extraordinary impacts on privacy, compliance, and our university’s reputation. Recognizing these risks is not about suspicion or blame. It’s about building awareness and shared responsibility to keep the university safe.  

Lessons from the past 

Everyone has a role to play in safeguarding institutional data. Here are some key best practices:

  • Pause before sharing. Think about who really needs access and use university-approved storage and collaboration tools (OneDrive, SharePoint etc.).
  • Be alert for suspicious behavior. Red flags include unexpected data requests, pressure to bypass security processes, or colleagues accessing information unrelated to their role.
  • Be mindful of regulations and industry standards like the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard, and applicable export control requirements, which can apply directly to handling student, health, financial, and research data.
  • Choose security over convenience by resisting shortcuts like using personal email or portable devices to transfer or store sensitive data.
  • When in doubt, ask. Reach out to the Information Security and Policy Office or The Compliance Office before acting.

Working together

Addressing human risk is about supporting each other. By staying alert and intentional in how we handle data, we strengthen the security of the entire university community.  

If you notice unusual activity or experience an IT security incident, report it immediately to the Information Security and Policy Office so it can be investigated and mitigated. If your department needs help understanding data-protection policies or security best practices, email it-security@uiowa.edu for support.  

Related service(s)
IT Security Information