Data Loss Prevention (DLP)
One of the biggest risks that we face is the loss of our data. Whether it is cyber-breach, a stolen mobile device, or a stack of spreadsheets accidentally thrown away in an unsecured receptacle, the result is the same: our information falls into the hands of folks who are not authorized to view it. We can mitigate or reduce the effects of data loss in some of these cases, but there are less obvious ways that data “leaks” out that are harder to control.
Scenario 1: In the normal process of doing their job, a UT employee sends an unprotected spreadsheet full of sensitive information to Human Resources or Payroll to process student pay. The spreadsheet contains information such as the name and SSN of an employee. They copied 30 others on the email.
Scenario 2: A UT employee is in the process of booking a room for their supervisor and, for whatever reason, sends the supervisor’s credit card information, complete with the credit card number, the cardholder’s name, expiration date, and CVN, to the conference hotel through email.
Scenario 3: A UT employee just finishes their family’s 2021 Tax Return in TurboTax and sends a PDF of the return through their UT email account, complete with their SSN, their spouse’s SSN, and their children’s SSN’s to their Yahoo! Gmail or Hotmail account.
Regardless of the intention, the results are the same: personally identifiable information just leaked out. None of these examples of sending the information is “okay,” not to mention that sending UT data in an unsecured manner violates UT policy. Moreover, the information is now stored in the sender and all of the recipient’s email boxes. Given the synchronous nature of email now, where it’s also conveniently pushed to a mobile device, the information is also on the sender AND recipient’s phone, laptop or workstation. IF the mobile devices are not protected by a PIN, password, or encryption, neither is the data.
These are tough actions to mitigate. Data Loss Prevention (DLP) controls allow us to put technical controls in place that examine outgoing email BEFORE the user presses “Send” and reminds you that it “looks” like you’re sending information that should be protected. The warning can be acknowledged; the email sent. However, the system also logs the event and alerts the Information Security staff. The event can be investigated, and a follow-up notice sent to the sender informing them that there are other options for transmitting sensitive information. OIT is testing the DLP capabilities of Microsoft 365 and hopes to implement the controls soon. These controls won’t prohibit the sending of sensitive information in an unsecured fashion but can serve as a reminder that there are other ways of communicating sensitive information.
As specified in the UT Acceptable Use Policy (IT0110-AUP), The University reserves the right to access, monitor, review, and release the contents and activity of an individual User’s account(s) as well as that of personal Internet account(s) used for University business. The AUP also states that “… users WILL NOT: Include or request personally identifiable or generally protected information such as passwords, social security numbers, or credit card numbers be included in electronic communication (email, instant message, text message, etc.).” Whether it’s an SSN, a credit card, or a grade-roll, there are ways to transmit this data SECURELY.
- If it’s a Microsoft Office Document or an Adobe Acrobat PDF file containing sensitive information, it can be PASSWORD-ENCRYPTED before it’s sent. The sender would need to share the password (verbally) with the recipients so they could unencrypt the document. (GOOD)
- Microsoft 365 allows for encryption of email by putting the word “ENCRYPT” (without the quotes) in the Subject Line. This works for emails sent internally or externally. However, there’s a limit to the size of the attachment. (BETTER)
- The document can be sent via the UTK Secure Courier (vault.utk.edu) both to internal and external recipients. (BETTER)
- Internal to UT, the sensitive information can be shared securely through Google Drive or Microsoft’s OneDrive for Business. Documents saved in OneDrive for Business can be added to an email in Outlook as a link, so no data is really attached to the email but would require the recipient to authenticate using their NetID and password to access the information. (BETTER)
The message is still the same: regardless of what controls are in place, the only control that can reduce the exposure of sensitive information (data loss) is the USER. All of these methods require effort. They’re not expedient. It’s the nature of the world we live in. Expediency can be interpreted as good customer service. However, knowingly putting the customer’s personal information – your information – at risk is not good customer service and a violation of policy.