Welcome to TCEA Responds #9. Submit your own question(s) online. Today’s topic is securing sensitive data. This includes data stored in cloud storage solutions like Microsoft OneDrive and/or Forms and Excel Online or Google Drive or Forms and Sheets.
Dear TCEA Responds:
My district uses Google Forms to collect parent and student data. This includes names, birth dates, phone numbers, and emails. Should I be worried? I know Google says it’s the school’s responsibility. Do you see any issues with security regarding sensitive data?
A district-level administrator has a Google Sheet with 500 Social Security numbers for students on it. He accidentally drags it into a publicly-shared Google Drive folder. Is this a data breach or not? It depends on several factors.
While this isn’t technically a data breach since the data has yet to be stolen, a data breach could occur. If the person in question (or anyone else who has access) falls for a phishing scam and bad people get access, then the district will have a problem. If the data is not encrypted, then a data breach has occurred and the district could be liable for identity theft protection. Let’s review possible options for avoiding this situation.
Option 1 – Encrypting Data
The easiest solution (which isn’t that easy) is to avoid placing sensitive, personally-identifiable information online in a public folder where it is unknown who has access to it. If you must place sensitive data in the cloud, encrypt the file first. Once the person has obtained the file, remove the file. At no time should a decrypted file be placed online in cloud storage or emailed as an attachment. Two commercial solutions districts can use for encrypting data stored in the cloud include Cryptomator and Boxcryptor. A free solution is Secure Space Encryptor (SSE) from Paranoia Works. It’s free, open source, and works on Mac/Win/Linux/Android. It also features text encryption for iPad. You could use this because it allows you to encrypt files/folders. If the files/folders you are encrypting save to a “sync to cloud” folder (e.g. Dropbox, Drive, OneDrive), then that data is encrypted.
Option 2 – Invest in a Solution that Scans Your G Suite Domain
Several solutions exist that will scan your district’s Google Suites for Education domain seeking any possible sensitive data that may have been shared with intent or not. Two solutions that I am aware of include the following (in alpha order):
Both solutions offer a variety of features, essentially scanning your cloud storage provider (e.g. Google Suites for Education or Office 365) for sensitive data. What’s more, additional rules can be set up to restrict placement of sensitive data online to prevent or quickly catch rule violations. You will want to explore these solutions through an official request for proposals (RFP) process aligned to your particular district’s processes and procedures.
Did you knowb4? A big part of protecting data involves avoiding situations, like phishing expeditions, that attempt to capture your username and password. Some school districts are turning to solutions like KnowB4, which provides security probing and awareness training. For example, a false spear phishing attack is launched against employees with the organization’s permission. This simulated attack is done without notifying the employees first. One district, for example, “sent out a baseline test to 4,390 staff and 924 clicked on it.” The district later reported that they suffered an actual attack, not simulated by KnowB4. Only one person was compromised. From 924 to one is quite an improvement.
Safeguarding Sensitive Data is Everyone’s Responsibility
Digital citizenship is often cited as an important set of habits to develop. Safeguarding sensitive data is everyone’s responsibility. Make sure district staff understand the consequences of convenient uses of cloud storage.