The US government has spent billions of dollars over the last few decades trying to protect core networks, systems and infrastructure that are critical to government and civil operations. Despite this, experts say that cybersecurity has leaped over terrorism as the top threat to US security, because federal cybersecurity officials are still struggling to keep sensitive data from hackers and cyber criminals.
Systems at numerous federal agencies, including the Pentagon, have suffered data breaches through phishing scams, malware and the theft or loss of data storage devices. Unfortunately a lot of the blame falls on workers themselves, because they were either inadequately trained or didn’t follow defined security procedures.
According to the US Computer Emergency Readiness Team (US-CERT), federal employees are responsible for at least 50 percent of federal cyber breaches since 2009. One example from 2011 was the theft of unencrypted computer backup tapes containing about five million Social Security numbers and medical information of Pentagon employees. The tapes were in the car of a contractor who job was securing the records. I guess he didn’t do a good job.
According to an annual White House cybersecurity review, in 2013:
– 21 percent of all federal breaches originated from government workers who violated policies
– 16 percent of breaches were linked to employees who lost devices or had them stolen
– 12 percent to workers who improperly handled sensitive information printed from computers
– 8 percent to workers who ran or installed malicious software
– 6 percent to employees who were enticed to share classified information
Malicious or accidental disclosure of information is a major threat to governments and private enterprise. The statistics from the US government most likely mirror those in the private sector. There are calls for the US Congress to pass legislation making it easier for the private and public sector to share information on breaches so that a more coordinated effort can prevent them before they occur.
One of the problems with relying on a user of information to follow security policies is that the rules are always changing and we are only human. We get busy and we forget. Most of us remember to lock the door before we leave our house, but for most of us, that only involves closing the door. When I leave my house, I drive out of the garage and hit my garage door opener to close the door. It’s locked when it closes. The same is true of my front door. I don’t have to think about it.
Relying on employees and users of information to secure it is not the best strategy, since it assumes we know how to do it and that we always remember. A better approach is to automatically lock the information as it’s created through a dynamic, centralized security policy. This eliminates human error and allows security professionals to change information access rights on the fly, regardless of the location of the information. If an employee tries to print a document they shouldn’t, the security policy can block it. If someone has access to a file, but should no longer have that access, that person’s rights can be revoked. This is the best way to protect sensitive information.
No one in the public or private sector should be surprised by the possibility of a cyberattack or data breach through carelessness. It’s time to start protecting the data itself and not continuing to spend money on beefing up the perimeter.