One of the most significant risks that we face is data loss. Whether it is a cyber-breach, a stolen mobile device, or a stack of spreadsheets accidentally thrown away in an unsecured receptacle, the result is the same: our information falls into the hands of folks who are not authorized to view it. We can mitigate or reduce the effects of data loss in some cases, but there are less obvious ways that data “leaks” out that are harder to control.
Regardless of the intention, the results are the same: personally, identifiable information just leaked out.
None of these examples of sending the information is “okay,” not to mention that it violates UT policy. Moreover, the data is now stored in the sender and all recipient’s email boxes. Given the synchronous nature of email now, where it’s also conveniently pushed to a mobile device, the information is also on the sender AND recipient’s phone, laptop, or workstation. If the mobile device isn’t protected by a PIN, password, or encryption, neither is the data.
These are tough actions to mitigate. Data Loss Prevention (DLP) controls allow us to put technical controls in place that examine outgoing email BEFORE you press “Send” and remind you that it “looks” like you’re sending information that should be protected. The warning can be acknowledged and the email sent. However, the system also logs the event and alerts Information Security staff for a possible investigation. A follow-up notice may be sent to you, informing you that other options exist for transmitting sensitive information, for example:
As specified in the UT Acceptable Use Policy (IT0110-AUP), The University reserves the right to access, monitor, review, and release the contents and activity of an individual User’s account(s) as well as that of personal Internet account(s) used for University business. The AUP also states that “… users WILL NOT: Include or request personally identifiable or generally protected information such as passwords, social security numbers, or credit card numbers be included in electronic communication (email, instant message, text message, etc.).”
Whether it’s an SSN, a credit card, or a grade-roll, there are ways to transmit this data SECURELY.
OIT is testing the DLP capabilities of Microsoft 365 and hopes to implement the controls soon. These controls won’t stop you from sending sensitive information in an insecure fashion but can serve as a reminder that there are other ways of communicating sensitive information.
The message is still the same: regardless of what controls are in place, YOU are the only control that can reduce the exposure of sensitive information (data loss). All of these methods require effort, and they are not expedient. You may interpret expediency as good customer service; however, knowingly putting the customer’s personal information – your information – at risk is not good customer service and is a violation of policy.
Lastly, if you SEE something, SAY something!
All the technical controls in the world can’t catch everything.
For help or assistance with any of the methods listed, please call the OIT HelpDesk at 865-974-9900.
If you don’t know or aren’t sure: ASK.