Over the last two years, we have spent hundreds of hours working with individuals and departments mapping data processes in line with data protection compliance (EU GDPR Art.30). These data mapping exercises have highlighted many technical and operational security weaknesses that could impact on the rights and freedoms of individuals.
A common theme during the process mapping is the identification of shadow IT, often in the form of personally owned removable media and private cloud storage. The use of these storage devices/locations leave the school with dark data; unmanaged, unsecured data that is entirely outside of the school's control and governance.
In this ninth blog in the series which builds upon every stage of the NCSC's 10 Steps to Cyber Security, we outline how the use of removable media can be a significant risk to your school or organisation and describe how to significantly reduce the risk by the application of appropriate security controls and the management of removable media.
What are the risks associated with staff and students using removable media?
Removable media has always been an easy way for malware to be introduced to your computer and to the network. With raised awareness around data protection, more and more businesses realise that alongside possible infections, there is a high risk of accidental or deliberate loss of data that could lead to a reportable data breach. Ultimately the loss of data, whether through the accidental displacement of a USB drive or losing access to data through a ransomware attack, can severely damage an organisation's reputation, and in some cases lead to fines from local regulatory authorities. Types of removable media vary. In this blog, we are specifically talking about:
- Pen drives/thumb drives
- External hard drives/storage
- Memory cards/compact flashcards
- Digital cameras/smartphones
- DVD/CD ROM
Historically, removable media was used for ease of movement of data from device A to device B or the offline storage of data. While the use of these removable storage mediums is convenient, (often being small and portable), they all come with inherent security risks. We have seen many cases of data loss through misplaced or stolen portable media.
Another factor often overlooked is the use of personal mobile phones that are allowed to access and download school-owned data, and their association with private cloud accounts. Most phones will give the user the option, or by default synchronise local data to a users private cloud storage. Again, this cloud storage is not owned or managed by the school. We have seen several cases where photos taken on personal staff phones from school trips and events synchronise with private cloud storage. The school has no control over, or knowledge of who is accessing those storage areas, and when the member of staff leaves the school that data goes with them. In the photo scenario, this synchronisation is not only a data protection concern but more importantly, a child protection and safeguarding concern, potentially putting the member of staff and the student at risk. A risk assessment should be performed against any personally owned devices, especially those that inherently synchronise with private cloud storage solutions.
9ine are supporting schools around the world in the eventuality that they're required to provide school services remotely as a result of COVID-19. Download the Remote Learning Readiness Worksheet now.
These unknown, unmanaged and often unsecured devices are part of a school's shadow IT. Shadow IT is the name given to applications, devices or cloud storage locations used by individuals/departments that have not gone through a structured or validated school implementation process. This shadow IT holds dark data; uncontrolled copies of spreadsheets, documents, photos, all of which are no longer centrally managed by the school and now sit outside of any documented version control. When documents live in multiple places, this weakens not only the integrity of the school data (e.g. which document is accurate/up-to-date?) but undermines any security controls the school has in place to protect the confidentiality and availability of that data.
Ultimately, if you [the school] do not know where your data is, you will not be able to protect it against the loss of confidentiality, availability and integrity. Not knowing where your data is or who can access it is not a defensible position to be in after a data breach.
The use of removable media must be assessed within your organisation on a case by case basis. Any use of removable media should have a clearly defined business case and have the appropriate technical, and operational security controls applied.
What are the main reasons for the use of removable media?
At the beginning of this blog we mentioned that 9ine has assisted many schools with data mapping exercises. The main reasons outlined for the use of removable media from individuals/departments were:
- Ease of portability and access
- They have always done it this way
- No alternative mechanism provided
- Not knowing how to access the storage solutions remotely
- Not knowing where on the provided solution this data should be stored
- Lack of reliability on a cellular/data signal to access this data through the cloud/remote access solutions
- The data being saved is not personal/sensitive information
Some of the above reasons for removable media use are down to users circumnavigating policies and procedures that are put in place because they are too complicated, or no training has been provided. This circumvention leads to more shadow IT and dark data.
The above can be rectified by providing appropriate training and implementing alternative solutions to provide access, storage or movement of data.
If it is determined that there are clear benefits for the use of removable media by individual staff members or in a defined and documented process, the organisation should put the appropriate security controls in place. It’s important to document the use on the school risk log, along with any mitigating actions and the acceptance of the risk.
How can you reduce the risk associated with removable media?
- Provide the user with school-owned removable media
- Enforce encryption of removable media
- Where no encryption is available, train the users on what data types can be stored on the media and apply compensating security controls
- Disable the Auto run/Autoplay features on all removable media
- Ensure all devices actively scan for malware when any removable media is connected
- Install host-based Data Loss Prevention (DLP) software
- Provide managed iPads/Cameras/Other Medium for photos
- Add the asset to your asset management solution
- Assign the asset to the individual/department
- When users have finished with the removable media ensure it is securely wiped/formatted
- Define and issue a Removable Media and Devices Policy
Some of the above and below may seem obvious. However, the best practice is often not applied. The safe use of removable media should form part of bi-annual data protection and cyber security training alongside a clear policy that outlines the school's policy on the use of removable media. The organisation's policy should include (but not be limited to):
Do not plug unknown flash drives into school devices.
As well as the possibility of introducing a virus to the network hackers use USB devices (pen drives) to introduce other malware onto the network that can allow the attacker to gain a foothold on the network.
Do not use the same USB device for home and work computers.
This limits the possibility of spreading malware from your home PC to the school PC's (and visa-versa).
Enable security features such as encryption and additional authentication.
In the event of the loss or theft of your removable media, the data on the device has a greater chance of remaining secure.
Keep the software on your computer up-to-date as the update includes crucial patches for known vulnerabilities.
This helps to reduce the risk from known, patched malware.
Never leave removable media lying around even if encrypted.
This is part of a cultural shift, being more aware of the possible implications of lost data held on devices.
Report loss of removable media to the school Data Protection Team.
As soon as you are aware of the loss of data report it immediately to your school's data protection officer or lead. They will determine if the data loss is to be reported to the supervisory authority, in some countries there are strict time frames around reporting incidents and the benchmark for reporting to a supervisory authority, if required, is 72 hrs.
In summary, by eradicating (or minimising) and managing the use of removable media, you will be significantly reducing the organisation's risk profile in two crucial areas; the accidental loss of personal data, resulting in a data breach and the unintentional introduction of malware onto a computer or the network, which in some cases would also be reportable to the local data protection regulatory authority.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.