Why are we making this change?
Our institutional responsibilities for managing information and data security are stringent. For good reason: the scale and sophistication of criminal cyber-activity is increasing. We need to meet these security challenges as an organisation and as individuals. As most members of staff routinely handle private and sensitive student and staff information from a wide range of devices and locations, the University has agreed upon a programme of changes to help keep our sensitive data secure.
What's the issue here?
USB data storage devices pose a security threat. By ‘USB data storage device’ we mean any portable devices that can store data or transfer files via a USB port. These devices are commonly called ‘USB sticks’, ‘memory sticks’, ‘flash drives’, ‘pen drives’ or even ‘thumb drives’ - although other types of devices might also be affected (e.g. camera cards). Uncontrolled USB port usage is a vulnerability that was identified in the ICO audit.
The risks include:
- loss or theft of the USB device itself and therefore any data on it
- infection of other computers and users from use of a contaminated USB device and consequent wider infection of the University network and our infrastructure
- an example of these risks is explained in this article
What are we doing about it?
The University Information Management Executive Committee (UIMEC) has agreed that the use of USB ports for data transfer is no longer an acceptable risk for the University. This decision means that a computer used for University business will have USB ports capable of reading or writing data, blocked. Initially, this will be applied to Managed Windows 10 Desktop computers at the end of this year. Following that change, the University aims to block USB ports on all other Warwick devices that are used to work on sensitive University data.
What if I use a USB stick to store or backup data?
If you make use of a USB device to save data, you should start to move your data to alternative storage locations – for example, an H: or M: drive, or Microsoft OneDrive (included as part of the University Office365 suite). For staff who need additional storage capacity, requests can be made to the Helpdesk or via self-service requests. Find out about storage here.
Teaching at Warwick
Alternative ways to get to your presentation online (ensuring you are logged-in with an appropriate University log-in):
- Keep your presentation on an online teaching platform like Moodle or Teams and use a web browser to navigate to it from a Teaching Room Lectern.
- If your presentation is on a storage platform like the H: or M: drive you can also navigate to it online via a web browser using https://myfiles.warwick.ac.uk.
- Alternatively, you can connect your own laptop to the lectern via an HDMI or other video port. Please ensure your laptop meets the minimum-security specification before doing so.
Presenting at a conference or other external event
Instead of taking a USB stick with you, please use a file transfer system like Files.Warwick or OneDrive to securely share your presentation to the conference host ahead of the conference. If you must take a laptop with you to the conference, ensure it is encrypted and password locked and meets the University minimum-security specification
Organising a conference at Warwick
As the event host, make arrangements with your presenters to receive their presentations ahead of the conference and make them aware that they won’t be able to use USB ports on our campus devices.
What if I have a device that I think should work, but doesn't?
When a USB data storage device that is blocked is plugged into a Managed Windows 10 Desktop computer, a pop-up message will advise you that the device is blocked. If you believe this to be an error, you can click the link in the message to request access for that device. The Helpdesk will provide support.
What about other USB devices?
Other USB devices, such as headsets or printers, for example, should continue to function normally.
For further advice or support, please contact the Helpdesk.
Help and support
If you think you detect any unusual online activity, please report it immediately.
Who needs to know this?
This information concerns us all. If you use a Warwick staff card, a Warwick email address, access one of our staff or student record systems or share your Warwick work with colleagues within or beyond the University, you are involved in activities that must be kept secure.
Data Protection Officerdpo@warwick.ac.uk
The University of Warwick
Coventry CV4 8UW