The recent inadvertent release of a secret TSA manual on a government website shows a breakdown in security procedures by the US Department of Homeland Security. According to the agency, this was an outdated, unclassified version of a Standard Operating Procedures manual. They said it was never implemented and there is no cause for concern. According toinformation from a senate hearing, every page of the document said unauthorized release of this information could result in civil penalties. Senator Susan Collins of Maine commented that the manual shows exactly the documents needed to get relaxed screening at a TSA checkpoint in an airport. Seems like a security breach to me and this is one organization that you would assume should know security. So what went wrong?
The 2008/09 annual report of the Independent Safeguarding Authority (ISA) revealed a lapse in email security. People in the organization sent confidential information to the wrong email recipient. The ISA was set up in the UK to prevent unsuitable people from working with children and vulnerable adults. An investigation concluded that human error was at fault. The ISA has plans to address IT disasters, but is still working on business continuity plans to cover issues like this.
Has this happened to you? I copied a document from my laptop to a flash drive so I could give it to a colleague. She copied the document and handed it back to me. I put it in my laptop bag where I always keep my hoard of flash drives. My son grabbed one so he could take his presentation to school. You can see where this is going. He took the flash drive to school and copied its contents onto a class laptop for his presentation. Low and behold he copied my document and yes, there was confidential information in it.
Insider threats continue to represent a major concern for all size organizations.
I recently met with a company that was responding to a major RFP. The company uses a Content Management System and has developed strict procedures to ensure the confidentiality of their files. Unfortunately, one of the staff members that worked on the RFP had an acquaintance who worked for the competition. The employee saved the file to a thumb drive and emailed it to his friend at the competition. That person used the information to under bid the other company and ultimately won the business. Eventually, the theft was uncovered, the individuals involved were fired and the RFP was cancelled. There is no way to determine the cost of litigation, but it is safe to assume that legal costs and fines will exceed a $1 million.
Most of us use wireless networks at home and when we travel. The other day I was sitting in an airport waiting on my late flight (that of course never happens), and I fired up my laptop to get at a few emails over the local Wi-Fi hotspot. I was responding to a few items and sent a couple of spreadsheets and documents.
I sent a proposal to a colleague for input before sending it to a customer. The document had pricing and other confidential information in it. Since I was on an open wireless network, a hacker with a Pringles can as an antenna could steal my file. Talk about scary. If I log into my company through a VPN that encrypts my traffic, I should be safe. I was using GMail, so I may be compromised.
Have you ever sent a confidential e-mail to one or more people only to find out that the e-mail was sent to someone that should not be on the distribution list? One small mistake like this can have a devastating impact on your business! Just ask Rocky Mountain Bank what it will cost them, because there was no way for them to disable an Excel spreadsheet and other documents that were sent out in error.
The familiar line from World War II is as relevant today as it was 65 years ago. The release of confidential information can have a devastating impact on an organization. In the normal course of doing business critical information will leak out into the wild. This may occur intentionally or unintentionally, but either way it is critical to know that a breach occurred at the earliest possible moment. Data Loss Detection enables companies to routinely perform customized profile searches that detect specific information on internet sites. The search crawler detects confidential data, files, posts and discussions that should not be in the public domain.
Sounds like a bad title for a movie, but unfortunately it seems to be business as usual for companies and the US government. A recent Inspector General audit came out showing that some Department of Defense (DoD) groups didn’t scrub data from computers before disposing of them. Sensitive information might get into the wild and either compromise DoD security or result in identity theft.
While visiting with a client last week they were discussing an upcoming company cruise that will be taking place this October. The event includes over 500 employees and their spouses. The company sent an Excel spreadsheet to each employee that requires information such as Passport number, Social Security Number and credit card information.
After completing the form one of the employees mistakenly hit reply all and his information was instantly sent to over 500 people, most of whom he does not know. Without a way to revoke the rights to the file his personal information was exposed.
Another client’s Human Resources department had a new administrator access an Excel spreadsheet from the department’s network directory. The visible cells showed the employees’ names and phone extensions. Thinking this would be helpful information for company employees the administrator emailed the file to all employees. Little did he know that the hidden cells contained salary, stock option and other confidential information. Not sure what happed to the administrator but needless to say the company had significant issues to deal with.
Insider threats continue to represent a major concern for all organizations. We were recently made aware of a situation where a major company was responding to a large Request for Pricing (RFP). The company uses FileNet as their Content Management application and has developed strict procedures to ensure the confidentiality of their files. Unfortunately, one of the staff members that worked on the RFP had a friend who worked for the competition. The employee saved the file to a flash drive and sent it to the friend at the competition. That person used the information to under bid the other company and ultimately won the business. Eventually, the theft was uncovered and the individuals involved were fired and the RFP was cancelled. There is no way to determine the cost of litigation but it is safe to assume that legal costs and fines will exceed a million dollars.