There’s no security without “U”
One of the biggest risks that we face is the loss of our data. Whether it is cyber-breach, a stolen mobile device, or a stack of spreadsheets accidentally thrown away in an unsecured receptacle, the result is the same: our information falls into the hands of folks who are not authorized to view it. We can mitigate or reduce the effects of data loss in some of these cases, but there are less obvious ways that data “leaks” out that are harder to control.
Scenario 1: In the normal process of doing their job, a UT employee sends an unprotected spreadsheet full of sensitive information to Human Resources or Payroll for processing student pay. The spreadsheet contains information such as the name and SSN of an employee. They copied 30 others on the email.
Scenario 2: A UT employee is in the process of booking a room for their supervisor and, for whatever reason, sends the supervisor’s credit card, complete with the credit card number, the card holder’s name, expiration date, and CVN, to the conference hotel through email.
Scenario 3: A UT employee just finishes their family’s 2021 Tax Return in TurboTax and sends a PDF of the return through their UT email account, complete with their SSN, their spouse’s SSN, and their children’s SSN’s to their Yahoo! Gmail or Hotmail account.
Regardless of the intention, the results are the same: personally, identifiable information just leaked out. None of these examples of sending the information is “okay,” not to mention that it violates UT policy. Moreover, the information is now stored in the sender and all of the recipient’s email boxes. Given the synchronous nature of email now, where it’s also conveniently pushed to a mobile device, the information is also on the sender AND recipient’s phone, laptop or workstation. IF the mobile device isn’t protected by a PIN or a password or by encryption, neither is the data.
These are tough actions to mitigate. Data Loss Prevention (DLP) controls allow us to put technical controls in place that examine outgoing email BEFORE the user presses “Send” and reminds you that it “looks” like you’re sending information that should be protected. The warning can be acknowledged; the email sent. However, the system also logs the event and alerts Information Security staff. The event can be investigated, and a follow-up notice sent to the sender informing them that there are other options for transmitting sensitive information. OIT is testing the DLP capabilities of Office365 and hopes to implement the controls soon. These controls won’t prohibit the sending of sensitive information in an insecure fashion but can serve as a reminder that there are other ways of communicating sensitive information.
As specified in the UT Acceptable Use Policy (IT0110-AUP), The University reserves the right to access, monitor, review, and release the contents and activity of an individual User’s account(s) as well as that of personal Internet account(s) used for University business. The AUP also states that “… users WILL NOT: Include or request personally identifiable or generally protected information such as passwords, social security numbers, or credit card numbers be included in electronic communication (email, instant message, text message, etc.).” Whether it’s an SSN, a credit card, or a grade-roll, there are ways to transmit this data SECURELY.
1. If it’s a Microsoft Office Document or an Adobe Acrobat PDF file containing sensitive information, it can be PASSWORD-ENCRYPTED before it’s sent. The sender would need to share the password (verbally) with the recipients so they could un-encrypt the document. (GOOD)
2. The document can be sent via the UTK Secure Courier (vault.utk.edu) both to internal and external recipients. (BETTER)
3. Internal to UT, the sensitive information can be shared securely through GoogleDrive or Microsoft’s OneDrive for Business. Documents saved in OneDrive for Business can be added to an email in Outlook as a link, so no data is really attached to the email but would require the recipient to authenticate using their NetID and password to access the information. (BETTER)
4. Internal/External – UTK Users can type the word “Encrypt” into the Subject line of an email sent from their UTK Microsoft 365 account. This works a lot like the Vault in that the recipient will receive an email with information on how to receive the information. They will have to authenticate with their NetID and password or a one-time passcode to retrieve the message. (BETTER)
The message is still the same: regardless of what controls are in place, the only control that can reduce the exposure of sensitive information (data loss) is the USER. All of these methods require effort. They’re not expedient. It’s the nature of the world we live in. Expediency can be interpreted as good customer service. However, knowingly putting the customer’s personal information – your information – at risk is not good customer service and a violation of policy.
Lastly, if you SEE something, SAY something! All the technical controls in the world can’t catch everything.
For help or assistance with any of the methods listed, please call the OIT HelpDesk at 865-974-9900. If you don’t know or aren’t sure: ASK.