Spring break. Conference season. Working from the patio. Mobility is part of university life, but every time you log in from a hotel, airport, coffee shop, or home network, you extend the university’s digital footprint beyond campus borders. That flexibility is powerful, but it is also a target.

Over the past year, universities nationwide have reported credential phishing, virtual private network (VPN) abuse, and the compromise of personal devices used to access institutional systems. Many of those incidents started the same way:

• A reused password.
• A rushed click on a fake HawkID login page.
• An unsecured home router.
• A device used for both personal browsing and sensitive research.

One compromised laptop can become a doorway into shared drives, research data, human resources systems, and medical or student records. Cybersecurity incidents affect more than one person. They can affect grants, compliance, reputation, and other students or staff.

Before travelling or working remotely

Pause to ask:

• What systems do I actually need access to?
• What type of data will I handle? Regulated research? Medical data? Student data? Human resources' records?
• Has my supervisor and unit human resources approved work arrangements?
• Does my role require review through the Research Integrity Office (RIO) or Compliance Office?

Remote access is not just a technical step. It is a business decision tied to regulatory requirements and data classification.

If you need remote connectivity:

• Use the university’s VPN or Citrix solutions.
• Utilize multi-factor authentication (MFA) where possible.
• Keep your device fully patched and updated before departure.
• Be mindful of where data is saved, do not store sensitive data locally.

For researchers handling export-controlled or regulated data, overseas travel may introduce additional legal considerations. Early coordination protects you and your work.

Why does it matter?

Small decisions off campus carry institutional consequences. A compromised remote device can pivot into the campus network. Attackers do not break down the front door; they wait for someone to bring them inside. Recent phishing campaigns targeting university accounts have impersonated staff to spam and phish, create fictitious voicemail notifications, adjust payroll direct deposit, and more. Their goal is simple: steal credentials and move quietly through trusted systems.

The impact goes beyond inconvenience:

• Exposure of research intellectual property.
• Regulatory violations (FERPA, HIPAA, GLBA, etc.)
• International Traffic in Arms Regulations (ITAR)/Export Administration Regulations (EAR) compliance risks.
• Loss of funding or reputational harm.

Take action

Work with your IT support staff to ensure the devices you are working from are managed centrally, and the system and software applications are regularly updated. Plan ahead for remote or international work.

If something feels off, an unexpected MFA push, an unfamiliar login alert, or a suspicious message, report it immediately. Contact the Information Security and Policy Office (ISPO) to report incidents or to discuss secure options that meet your academic, research, or business needs. Security is not about limiting flexibility; it’s about protecting the work that defines the university.

Wherever this spring takes you, take security with you.