The recent Federal Deposit Insurance Corporation (FDIC) data breaches, seven at last count, were more than a little bizarre. The Washington Post reporter Joe Davidson in his column Congress hits FDIC cyber breach that boggles the mind writes, “Since October, a series of violations by seven employees… resulted in the breach of personal information belonging to more than 160,000 individuals.”
Apparently, departing employees accidentally grabbed financial information from FDIC loan applicants while transferring their personal data to USB keys. Davidson quotes Representative Don Beyer, ranking Democrat on the House Science, Space and Technology oversight subcommittee, talking to Lawrence Gross, FDIC’s chief information and chief privacy officer: “I have a hard time understanding how you can inadvertently download ten thousand customer records.”
Davidson continues, “Ten thousand was the low end. One case involved forty-nine thousand records. Gross’s contention that the former employees ‘were not computer proficient’ only made matters worse.”
Fortunately, the security breaches were discovered early on. Imagine if the bad guys had known how easy it was to capture the finance records of FDIC loan applicants and exfiltrate them. It is a safe bet that more than 160,000 individuals would have been affected, and actual financial damage would have occurred.
Also to the FDIC’s good fortune, the organization had technology in place that discovered the breaches. “It is unusual and impressive that the FDIC was tracking sensitive data movements and was able to resolve the issue quickly,” Dave Palmer, director of technology for Darktrace, told Aaron Boyd of the Federal Times. “Whether inadvertent or malicious, attacks are inevitable, but internal immune systems that give visibility into anomalies combined with processes to respond, results in good overall security.”
However, the question remains: Why were employees allowed to transfer data to USB keys in the first place? This is something high on every infosec professional’s list of things to disallow.
Create an atmosphere of doing the right thing
Dana Simberkoff, chief compliance and risk officer at AvePoint, after studying the FDIC breaches shared what she learned in her FedTech post When An Employee Leaves Your Agency, Make Sure Your Data Doesn’t.
The top thing on Simberkoff’s list: focus on employee education. It is the most effective way to improve a company’s security program. Simberkoff adds, “It makes it easier for your end users to do the right thing, rather than inadvertently and unknowingly do the wrong thing.”
To get everyone in the company on the same page, Simberkoff suggests the following.
Understand the data held by your company: In order to protect an organization’s sensitive data, those in charge of the data must understand what is called the data life cycle, which focuses on:
- What the data consists of
- How the data is being created or collected
- How the data is maintained, stored, and shared while in use
- How the data should be disposed of
Delineate between work-related and personal data: It is evident from what happened at the FDIC, personal and work-related data should be stored separately. It is that simple.
Reduce data hoarding: With cheap storage and data-storage regulations galore, companies are keeping every bit of business data. Simberkoff thinks that is a bad idea. Data should have an end-of-life date, after which it is archived or deleted. “Data hoarding results in a significant data problem for the enterprise, because the more you have, the greater your risk of someone with malicious intent targeting your enterprise,” writes Simberkoff. “It also means you will spend more time protecting data that no longer holds its value to your organization.”
Create a culture of compliance: Simberkoff feels the “blame the other guy” game or assuming someone else is responsible leads to breaches. Put simply, information security needs to be everyone’s responsibility. Besides the blame game, Simberkoff contends, “If security practitioners get a good sense of what the business is doing today and know how users are interacting with data as part of their jobs, they can better determine security policies.”
Typically, users feel encumbered by security practices. It helps immensely if those creating the security policies understand the workflow and do not add to or complicate the process, because users will be less likely to bypass security measures if they do not impede their ability to work.
SEE: Information Security Policy (Tech Pro Research)
Simberkoff has an interesting final thought, “Security and data protection is a ‘team sport’ in which every employee is a player. This is the lesson everyone can take away from the FDIC breach to help prevent their organization from becoming tomorrow’s headline story.”