January 08, 2015

What You Didn’t Know About Government Security Breaches

A recent headline at qz.com, “The Single Biggest Cause of Government Data Breaches is “Oops", doesn't do much to instill confidence in the government’s ability to protect confidential information.

Governments manage a lot of confidential information. From citizens’ social security numbers, passport numbers, and tax information to national intelligence and the actual computer systems that run their infrastructures.

According to Information Week, some of the most significant government breaches in 2014 were the U.S. Postal Service breach with 800,000 workers’ personally identifiable information exposed, the State Employment Department in Oregon with 850,000 job seekers’ information exposed, and the U.S. Investigations Services with 25,000 Homeland Security employees’ information exposed.

Computer operations at the State Department, National Weather Service and the White House were hacked too.

In total, the Privacy Rights Clearinghouse reports that about 1.73 million data records containing bank account information or social security numbers were compromised in 27 government data breaches in 2014.

Globally, Verizon’s 2014 Data Breach Investigations Report showed that governments accounted for nearly 13% of 1,367 confirmed breaches in 2013. The report includes information from 95 countries and 19 industry categories.

Three ‘threats’ accounted for most of the incidents in the public sector:

1. Miscellaneous error (mistakes that compromised security) accounted for 34% of data breaches;
2. Insider misuse accounted for 24%;
3. Crime-ware for 21%.

What can be done to reduce the risk of these threats?

Here are strategies recommended by Verizon and other security industry experts:

• Block: Use data loss prevention to block sensitive information from being sent online. The Verizon report also suggested tighter controls around posting documents, two-factor authentication, anti-virus protection and other security software, and better monitoring of key indicators of breach activity.
• Educate: While formalized information security policies and procedures is critical, there must also be on-going security awareness training for all employees. Committed and knowledgeable employees are an organization’s best defense.
• Document Management: Good document management systems include determining the level of privacy required for each document, and labeling and storing documents accordingly. Documents should be securely destroyed when no longer needed. A Shred-All Policy removes the responsibility – and risk – from employees having to determine whether a document is confidential or not.
• Inspect Out-Going Mail: The research shows government organizations often deliver non-public information to the wrong recipient. Put a system in place to ensure this doesn't happen.
• Control Access: Give all employees access only to the data that are related to their responsibilities. Be sure there’s a system in place that revokes access when people change roles or leave.
• Provide Secure Asset Disposal: Documents and computers cannot be tossed into the garbage because this increases the risk of it getting into the hands of dumpster divers or insider fraudsters. Partner with a company that provides document shredding services with a secure chain of custody including locked consoles for document storage, security trained personnel, and secure on or off site shredding. A certificate of destruction should be issued after every shred. E-media and hard drive destruction is also important. This is the only way to guarantee destruction of confidential information.

Where are paper documents most at risk for a security incident in your workplace? This infographic shows the five most vulnerable points.