Teaching Guide: My Data

Illustration of a girl using her phone under two giant phones with the data category logo on the big screen.

Objective(s):

In this session, you will help participants learn how to ensure that their personal and professional data is always secure and recoverable.

Teaching points:

  • What data life cycle looks like;
  • How to securely store confidential and sensitive data;
  • How to restrict access to confidential and sensitive data

Practical skills taught:

  • Backing up data (local and cloud);
  • Recovering from back up;
  • Securing data using full-disk encryption;
  • Protecting data using client-side encryption;
  • Securely disposing of data.

Session length:

1h 30m

Skill level:

Basic for most of the content

Required knowledge:

Basic computer and email/social media literacy

Resources needed:

Projector, slides, paper, laptop connected to the internet, handouts

Deck:

My Data

Handouts:

Quiz: My Data, Activity Sheet: Installing BleachBit, Activity Sheet: Installing OneDrive, Activity Sheet: Recovering data from backup

Advanced preparation required:

Email participants in advance, requesting that they have one of the following during the training: (a) a functioning USB memory stick; (b) OneDrive account; or (c) Dropbox account.

Participants should also have laptops or tablets available for a practical exercise.

A. Setting the scene (10 minutes)

  1. Start the session by describing what it is about, situating the session among the other points of the CyberSTAR, and outlining what the participants will learn by the end of the session.

  2. Set the scene by discussing why it is important to regularly back up data. Ask participants the following questions to start the discussion:

    • Do you back up your files? Why or why not?

    • Have you ever lost any important files?

    • What will happen if you lose files that are very important to you personally or to your organization?

    Make sure that the following points are addressed:

    • Losing important personal and professional files is easy.

    • Ensuring that important data is secure is critical for day-to-day operations, business continuity and reporting.

    • Losing critical files can damage your reputation and have serious financial, legal and administrative costs.

    • Backing up data on a frequent and regular basis is the best way to ensure that if your files are lost, they can be recovered.

  3. Provide a very basic overview of the notion of data life cycle. To use a simplified model, data life cycle describes how data goes through four stages:

    1. generation (capture)
    2. active use
    3. maintenance (storing)
    4. disposal

    Explain that this session will focus on keeping data secure through the first three stages and purging it securely in the final stage.

B. Backing up data (10 min)

  1. Remind participants how easy it is to lose important personal and professional data:

    • Computers and hard drives can fail, and it might be impossible to restore data;

    • Devices can be lost or stolen;

    • Viruses and Trojans can erase data on your devices;

    • Ransomware attacks can make your data inaccessible unless you pay;

    • Devices can be destroyed as a result of natural calamities like flood or fire.

  2. Tell participants that the only way to protect their files from these risks is to back up data on a frequent and regular basis. Backing up data is an important part of digital hygiene. Participants should think about data backup as a better-safe-than-sorry precaution. It is relatively inexpensive and does not take much time. The cost of not backing up could be a lot greater.

  3. Explain that there are different backup options for personal and professional data. Participants need to understand the advantages and disadvantages of different options before choosing the option that suits their needs.

    • Local backup involves backing up data locally, using a local hard drive or external hard drive. External hard drives are portable storage devices connected to the computer via cables or wirelessly. They can store a lot of data.

      Local backup is easier to use, faster and cheaper than remote backup. However, hardware used for local backup is vulnerable to natural calamities such as floods or fires. It can also be lost or stolen.

    • Remote backup allows users to back up their data to external hardware in remote locations (“cloud”). Users can access and manage their data anytime on any device via the internet. Most cloud storage services provide a large amount of storage space and encrypt the content for data security.

      Having your data backed up in a secure distant location gives you a peace of mind and ensures that your data is safe and recoverable. It is, however, slower and more expensive than local backup. Besides, you can only access data backed up remotely when you have access to the internet.

  4. Encourage participants not to underestimate the value of having physical copies of important personal and professional documents such as registration documents, tax records, bank statements, etc.

  5. Mention that it is a good idea to back up data in more than one place. Encourage participants to follow the 3-2-1 rule: to ensure that your data is safe and recoverable in almost any scenario, always keep at least three (3) copies of your data and store two (2) backup copies on different physical storage media locally and one (1) copy in an offsite location such as a cloud service.

C. Activity: file recovery from backup (10 min)

  1. Explain the activity to the participants. The objective is to help participants learn to do basic backup and get them to understand how handy backups come in case of data loss.

  2. Start the participants by creating three empty files such as Word, Excel and PowerPoint (or any other types of files). Ask them to name these documents as follows: (1) “Important document”; (2) “Confidential file”; and (3) “Sensitive report”. Now ask the participants to save these files in a folder named “Important”.

  3. Participants were asked to have one of the following for the training: (a) a functioning USB memory stick; (b) OneDrive account; or (c) Dropbox account. Ask them to copy the “Important” folder they have created on the memory stick, in OneDrive or in Dropbox. Once this part of the exercise is completed, explain that they have just backed up the folder. Ask the participants to remove the memory stick from the device or log out of their OneDrive or Dropbox accounts.

  4. Now ask the participants to delete the “Important” folder from their devices and empty the Recycle Bin. Explain that this imitates a situation in which they lost highly important data.

  5. Finally, get the participants to insert their memory sticks back into their devices or log back into their OneDrive or Dropbox accounts. Now ask them to copy the “Important” folder back to their devices. Explain that they have just recovered an important file from backup after the original data was lost. It is that easy!

D. Data encryption (5 min)

  1. Explain that backing up data ensures that it can be recovered if the hard drives or storage media on which it is originally stored is damaged, lost, stolen, destroyed or becomes inaccessible in any other way. It does not, however, prevent others from accessing, stealing or modifying your files by gaining access to the hard drives or storage media on which you store your files and backups.

  2. Tell participants that the best way to protect their files and backups from unauthorized access or manipulation is encryption. Encryption is particularly important when you deal with confidential data that can put you and the people you work with at risk.

    Data encryption converts data into a complex code that only people with access to a secret key (known as a decryption key) or password can read. Even if unauthorized individuals get access to encrypted data, they cannot decipher the code or change it without either the decryption key or the password. Encryption is currently the most effective data security method for organizations.

  3. Mention that participants should not worry about data backed up to clouds as these services nowadays automatically encrypt data. They should, however, ensure that their local backups are encrypted. Options for doing so will be discussed later in the session.

  4. Mention also that you will discuss encryption in another session, My Conversations, where you will look at encryption for data “in transit” (data enroute from one user to another). This session mainly focuses on data “at rest” (data that is stored in one location).

E. Full-disk encryption (15 min)

  1. Discuss with participants why full-disk encryption is a must for individuals and organizations that deal with or store confidential or sensitive data.

    Full-disk encryption protects you, your organization and its beneficiaries from consequences arising from loss or theft of confidential or sensitive data stored on hard drives.

  2. Now provide a high-level overview of how full-disk encryption works.

    Full-disk encryption encrypts your data at the hardware level. It works by automatically converting data on a hard drive into a code that cannot be understood by anyone without the authentication key. Even if your hard drive is stolen and placed in another computer, without this key nobody will be able to understand the data.

    Full-disk encryption is easy to use because it does not require any special attention on the part of the end user after she or he initially unlocks the computer. As data is written, it is automatically encrypted. When it is read, it is automatically decrypted.

    By working at the hardware level, full-disk encryption provides “blanket” protection so that the user does not have to worry about protecting individual files. It also ensures that any remnants of data are secure. Such remnants include temporary files and browser cache files.

  3. Remind the participants about the importance of setting device passwords and enabling idle screen locks. Full-disk encryption protects data at rest, but if the user leaves their workstation or laptop without locking the screen, disc encryption will not protect data stored on the device.

  4. Now explain that all current operating systems provide free full-disk encryption capability. Discuss these built-in options:

    BitLocker is Windows’ built-in encryption tool. It is available to anyone who has a machine running Windows 10 Pro or Windows 10 Enterprise.

    FileVault is Apple’s built-in encryption tool. It is available to anyone who has a Mac computer running Mac OS X 10.3 and later.

    Although these full-disk encryption tools are built into operating systems, they will not work unless users enable and set up these programs.

F. Client-side encryption (15 min)

  1. Now that participants understand why it is important to encrypt data in storage, explain why it is also important to ensure that sensitive and confidential files are encrypted before they are transmitted to remote servers such as cloud storage services. Explain also how client-side encryption works.

    Cloud storage services typically (excluding Tresorit) encrypt your data in-transit and with a technique called server-side encryption. The problem with server-side encryption is that the service provider can still access the data. If they can access it, it also means that state authorities may be able to and that if the provider is compromised, your data is also compromised.

    Client-side encryption, in contrast, is applied to your data before it is transmitted from your device. So, your data cannot be accessed in transit or by a cloud service provider. Data encrypted on the client side arrives at a cloud server already encrypted but also undergoes additional server-side encryption.

  2. Provide participants with a high-level overview of the options they have when it comes to client-side encryption:

    Encrypted archives: you can organize files in folders, put those folders in 7Z, ZIP or PEA archives and encrypt those before sending them to a cloud storage service. When doing so, remember to choose the option that encrypts file names in addition to the content of the files. This is particularly important when the names of files can reveal sensitive or confidential information.

    Encrypted file containers: you can organize your data into folders and subfolders and place them in an encrypted file container.

    • Users running Windows 10 Pro can use the built-in Encrypted File System (EFS) to encrypt folders. EFS is different from BitLocker in that encrypts the entire hard drive.

    • Users of Mac computers can create an encrypted disk image (basically, an encrypted file container), using the built-in Disk Utility. Doing so requires a number of steps, but there are plenty of online guides with step-by-step instructions.

    • There are also third-party applications that can help you create encrypted file containers. VeraCrypt is an application many security experts recommend. In general, however, third-party applications require users to have more advanced technical skills.

    Built-in application encryption: some applications have built-in tools that allow users to encrypt specific files. You can, for instance, encrypt PDF, Word and Excel files in this way. This solution is time consuming because it requires users to encrypt files individually. There are also serious concerns about how secure the built-in app encryption is.

    Cloud services with client-side encryption: some cloud storage services such as Tresorit, provide client-side encryption for those who can afford it.

G. Secure data disposal (10 min)

  1. So far in this session we have discussed habits and tools that can help participants protect their sensitive and confidential data. But what happens when you decide you no longer need to keep certain files?

  2. Explain that the answer is more complicated than the participants might think.

    “Deleting” a file on your computer does not really delete it in a sense of making it disappear. When you hit “Delete,” the operating system removes the file’s name from an index of everything on your device and understands that it can use the space for something else. When the operating system decides that it needs that space for something else, it simply replaces the contents of the deleted file with new data. But until your operating system actually uses that particular space for something else, the deleted information will stay on the hard drive, without you seeing it. This means that even after you empty the Recycle Bin, your deleted files remain on your hard drive and can be recovered by anyone with the right tools.

    Every time you use your computer, multiple files are created and insecurely deleted. For example, when you work on a report in a Word document, every time you save the document, your operating system creates and stores a new copy of the document. All the earlier copies are “deleted,” without really disappearing anywhere.

  3. Tell the participants that when they deal with sensitive or confidential information and want to ensure that the files they delete do not end up in the wrong hands, they have to rely on secure deletion tools that remove data from hard drives and storage media permanently. Secure deletion tools do so by replacing or “overwriting” your sensitive information with random data.

  4. The secure deletion tool we recommend is CCleaner. This free and easy-to-use software is available to users of Mac and Windows machines, as well as Apple and Android mobile devices.

  5. Explain that there are different options for removing sensitive data depending on whether the data is stored on a hard drive or portable storage device.

    When it comes to hard drives, you can remove a single file or everything in the unallocated space on the drive with tools such as CCleaner. These tools aren’t perfect on SSD drives however.

    When it comes to solid state drives (SSDs) or flash memory sticks, the only way to securely and permanently remove sensitive data is to clean the entire free storage space on these devices. Doing so wears out these devices. So be judicious about how often you wipe them.

  6. Tell participants that it is a good idea to use CCleaner regularly to remove common temporary files from their devices. These files generated by software such as Microsoft Office, Internet Explorer, Mozilla and so on are known to expose potentially sensitive information. Keep in mind that removing all cookies / cache files from web browsers will log you out of all web services. Remind participants to make sure that they know the logins for all of the services that they use.

H. Activity: installing CCleaner (10 min)

  1. Explain the activity to the participants. The objective is to get participants to install CCleaner on their devices and start them on using it. Note that CCleaner cannot be used on iPhones and iPads.

  2. Ask participants to download CCleaner directly from the developer’s webpage and install it on their devices.

    In order to prevent CCleaner from adding unwanted software to the installation, tell participants to uncheck the “Yes, install Avast Free Antivirus” box at the bottom of the installation window.

  3. Ask participants to run CCleaner and delete temporary internet files.

I. Wrap-up (5 minutes)

  1. Provide a brief summary of practical skills that the participants should have learnt during the session.

  2. Ask participants if they have any questions, answering the questions when possible or pointing them to online resources when the questions are not relevant to the rest of the group.

  3. Distribute handouts with step-by-step practical guides on the most common technical issues the participants are known to encounter.