Over the last two years, we have spent hundreds of hours working with individuals and departments mapping data processes in line with data protection compliance (EU GDPR Art. 30). These data mapping exercises have highlighted many technical and operational security weaknesses that could impact the rights and freedoms of individuals.
A common theme during the process mapping is the identification of shadow IT, often in the form of personally owned removable media and private cloud storage. The use of these storage devices/locations leaves the school with "dark data", unmanaged, unsecured data that is entirely outside of the school's control and governance.
In this ninth blog in the series, which builds on each stage of the NCSC's 10 Steps to Cyber Security, we outline how the use of removable media can pose a significant risk to your school or organization, as well as how to significantly reduce the risk through the implementation of appropriate security controls and removable media management.
Removable media has always been an easy way for malware to be introduced to your computer and to the network. With increased awareness around data protection, more and more businesses realise that, alongside possible infections, there is a high risk of accidental or deliberate loss of data that could lead to a reportable data breach. Ultimately, the loss of data, whether through the accidental displacement of a USB drive or losing access to data through a ransomware attack, can severely damage an organisation's reputation and, in some cases, lead to fines from local regulatory authorities. Types of removable media vary. In this blog, we are specifically talking about:
Pen drives/thumb drives
External hard drives/storage
Memory cards/compact flashcards
Digital cameras/smartphones
DVD/CD ROM
Historically, removable media was used for the ease of movement of data from device A to device B or the offline storage of data. While the use of these removable storage mediums is convenient (often because they are small and portable), they all come with inherent security risks. We have seen many cases of data loss through misplaced or stolen portable media.
Another factor often overlooked is the use of personal mobile phones that are allowed to access and download school-owned data and their association with private cloud accounts. Most phones will give the user the option, or by default, sync local data to a user's private cloud storage. Again, this cloud storage is not owned or managed by the school. We have seen several cases where photos taken on personal staff phones from school trips and events synchronise with private cloud storage. The school has no control over or knowledge of who is accessing those storage areas, and when a member of staff leaves the school, that data goes with them. In the photo scenario, this synchronisation is not only a data protection concern but, more importantly, a child protection and safeguarding concern, potentially putting the member of staff and the student at risk. A risk assessment should be performed against any personally owned devices, especially those that inherently sync with private cloud storage solutions.
9ine are supporting schools around the world in the eventuality that they're required to provide school services remotely as a result of COVID-19. Download the Remote Learning Readiness Worksheet now.
These unknown, unmanaged, and often unsecured devices are part of a school's shadow IT. Shadow IT is the name given to applications, devices, or cloud storage locations used by individuals or departments that have not gone through a structured or validated school implementation process. This shadow IT holds dark data; uncontrolled copies of spreadsheets, documents, and photos, all of which are no longer centrally managed by the school and now sit outside of any documented version control. When documents live in multiple places, this weakens not only the integrity of the school data (e.g., which document is accurate and up-to-date?) but undermines any security controls the school has in place to protect the confidentiality and availability of that data.
Ultimately, if you [the school] do not know where your data is, you will not be able to protect it against the loss of confidentiality, availability, and integrity. Not knowing where your data is or who can access it is not a defensible position to be in after a data breach.
The use of removable media must be assessed within your organisation on a case-by-case basis. Any use of removable media should have a clearly defined business case and have the appropriate technical and operational security controls applied.
At the beginning of this blog, we mentioned that 9ine has assisted many schools with data mapping exercises. The main reasons outlined for the use of removable media by individuals and departments were:
Some of the above reasons for removable media use are due to users circumnavigating policies and procedures that are put in place because they are too complicated or no training has been provided. This circumvention leads to more shadow IT and dark data.
The above can be rectified by providing appropriate training and implementing alternative solutions to provide access, storage, or movement of data.
If it is determined that there are clear benefits to the use of removable media by individual staff members or in a defined and documented process, the organisation should put the appropriate security controls in place. It’s important to document the use on the school risk log, along with any mitigating actions and the acceptance of the risk.
How can you reduce the risk associated with removable media?
Some of the above and below may seem obvious. However, the best practice is often not applied. The safe use of removable media should be part of the school's bi-annual data protection and cyber security training, along with a clear policy that outlines the school's policy on the use of removable media. The organisation's policy should include (but not be limited to):
Do not plug unknown flash drives into school devices.
As well as the possibility of introducing a virus to the network, hackers use USB devices (pen drives) to introduce other malware onto the network that can allow the attacker to gain a foothold on the network.
Do not use the same USB device for home and work computers.
This limits the possibility of spreading malware from your home PC to the school PC (and visa versa).
Enable security features such as encryption and additional authentication.
In the event of the loss or theft of your removable media, the data on the device has a greater chance of remaining secure.
Keep the software on your computer up-to-date, as the update includes crucial patches for known vulnerabilities.
This helps reduce the risk from known, patched malware.
Never leave removable media lying around, even if encrypted.
This is part of a cultural shift, being more aware of the possible implications of losing data held on devices.
Report the loss of removable media to the school's Data Protection Team.
As soon as you are aware of the loss of data, report it immediately to your school's data protection officer or lead. They will determine if the data loss is to be reported to the supervisory authority. In some countries, there are strict time frames around reporting incidents, and the benchmark for reporting to a supervisory authority, if required, is 72 hours.
In summary, by eliminating (or minimizing) and managing the use of removable media, you will significantly reduce the organization's risk profile in two critical areas: the unintentional loss of personal data, resulting in a data breach, and the unintentional introduction of malware onto a computer or network, both of which would be reportable to the local data protection regulatory authority in some cases.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.