By Rob Sabo
The Washoe County School District in Reno, Nev., issued a statement earlier this year notifying the public that it had inadvertently over-shared sensitive data stored on its cloud system.
Some employees had assigned sharing settings on documents that were too broad, officials said, which may have negligently allowed other district employees — and even students — to access data outside of the intended audience.
The school district said it quickly implemented changes, specifically limiting access of shared files to their owners and certain employees.
“Our online cloud-storage system is not typically used for private student-staff data and information,” Washoe County school officials said in the February statement.
“Instead, this cloud storage is meant as a repository, where work products are created, stored and shared for class group projects for students — as well as for ongoing department work projects for employees.”
“The issue is managing risk. You are dealing with people and changing circumstances — and you can’t completely control the outcome.”James Pooley, Silicon Valley trade-secrets expert.
The district’s IT department also audited its cloud system to determine which permissions might have been incorrectly applied — and officials said they planned to conduct follow-up training with staff to avoid similar mistakes in the future.
The Washoe County School District did not respond to multiple interview requests from Digital Privacy News.
The incident underscores the security and privacy risks associated with teams and with remote-based employees working with cloud document storage and the pitfalls of improperly applied sharing privileges, privacy experts said.
“The issue is managing risk,” said James Pooley, a Silicon Valley trade-secrets expert. “You are dealing with people and changing circumstances — and you can’t completely control the outcome.
“Frequently,” he continued, “you have to give up a certain amount of security in order to get convenience, effectiveness or productivity out of your teams.
“You take certain risks, but you try to manage them.”
Risk is multiplied exponentially when dealing with truly sensitive data such as medical records — particularly during the COVID-19 pandemic — student grades or classwork, or the digital information that forms the backbone of modern organizations, such as game developers or software and media companies, Pooley added.
“This cloud storage is meant as a repository where work products are created, stored and shared for class group projects for students — as well as for ongoing department work projects for employees.”Washoe County School District, Reno, Nev.
“Data is a primary asset of countless modern corporations and organizations,” he told Digital Privacy News.
Sharing information between employees and staff brings increased productivity and innovation, which are of particular importance for remote teams no longer able to swap stories around the office water cooler, Pooley said.
Achieving these synergies often involves robust sharing of data to foster better collaboration, he observed.
“But none of these things are defined by sharp edges and bright lines,” Pooley said.
“It’s a lot of judgment calls about where needs and risks are greater and what the tradeoffs are.”
Putting sensitive information in the hands of thousands of people imperils its security, regardless of how well informed employees are about an organizations’ data security and sharing protocols, Pooley said.
The National Institute of Standards and Technology, part of the U.S. Commerce Department, and similar agencies have developed specifications for companies to implement and follow — but the protocols for sharing and protection of data is unique to every business, he noted.
“There’s no silver bullet in security training.”Nick Santora, Curricula cybersecurity platform.
“There are standards and rules companies should put in place, but every organization’s information, value and risk are different,” Pooley told Digital Privacy News.
“Whether you are a school district or a multinational manufacturer, you need to look at the information you have, what makes it valuable or sensitive — and the risk-environment in which it exists,” he said. “What can go wrong?”
Once organizations understand those factors, they can find technical and educational solutions to better manage and control their data, he said.
Security and privacy experts told Digital Privacy News that educating employees about risk and responsibility is a front-line defense against unintentional data leaks.
Data security and protection starts with managers being aware of potential sharing risks — and then they must communicate those issues with employees and teams so they better know how to properly use, share and safeguard the information to which they are entrusted.
“Each employee needs to know their role in protecting data,” said Nick Santora, CEO and founder of Curricula, an Atlanta cybersecurity awareness training platform.
“There’s no silver bullet in security training,” he told Digital Privacy News. “You have to set appropriate access permissions for people and teams.
“That’s what makes the difference with data being protected versus the likelihood of it being leaked.
“Your employees become the first line of defense.”
Stronger File Controls
While cloud-based access to data has brought about unprecedented convenience, it’s also brought about increased risk, noted Gil Friedrich, CEO of the New York cybersecurity firm Avanan.
Battling risk requires implementing data-control policies that identify how files are controlled and shared among users — and that is unique to each organization and industry, he said.
“Identifying and marking files that contain confidential, financial or personally identifiable information is essential.”Gil Friedrich, Avanan cybersecurity firm.
“Ensuring proper file-share settings starts with an all-encompassing policy that allows complete control over how files are shared, preventing mistakes and taking swift action when needed,” Friedrich told Digital Privacy News.
“Identifying and marking files that contain confidential, financial or personally identifiable information is essential.
“Further, having a security solution that follows the file once it’s been shared is important,” he added, “meaning it can be encrypted on the fly — preventing unauthorized access to sensitive information.”
Rob Sabo is a Nevada writer.
How to Limit File-Sharing Accidents
Businesses can take several paths to establishing and controlling organization file-sharing, said Nick Santora, CEO of the Curricula cybersecurity firm in Atlanta.
Organizational file-sharing often is done with role-based permissions or ad hoc permissions, he said.
“Based on the ‘need-to-know principle,’ employees are typically given access to only what they need,” Santora told Digital Privacy News.
“A finance department has access to financial folders, documents and other files that sales reps or the engineering department wouldn’t be able to access.
“However, access-control lists can become messy if employees change jobs or roles — since files required for one job aren’t required for another,” he said.
“Some organizations strictly control access-control lists,” Santora added. “They lock down file access by requiring employees to open a ticket or ask an administrator for access.
“This is the safest method, but it‘s also the most time-consuming — since employees are waiting on an administrator to give or revoke access.”
But one alternative is letting employees administer their own permissions, he said, a common method for cloud-based file sharing.
But it also is one of the riskiest.
“This puts full control on the employees to manage access to sensitive information,” Santora said. “Mistakes can happen.”
Tightly monitoring file-sharing protocols hopefully leads to the ultimate goal of providing access to the right data to the right people, he said.
“Even when data leaves an organization, it still requires some type of protection,” Santora said.
“A simple data-classification program can help employees and organizations understand which data is ‘confidential,’ ‘internal’ and ‘public.’
“At a minimum,” he told Digital Privacy News, “these three classification tiers help organize data that should be put in a bucket and the controls that are needed to help protect it.”
— Rob Sabo
- KTVN 2: WCSD Notifies Families Of Online Cloud Document Storage Issue
- National Institute of Standards and Technology: NIST Cybersecurity Framework