Security

Government’s Worst Nightmare Isn’t Another Edward Snowden — It’s Accidental Leaks

The problem might get worse before it gets better, but agencies aren’t without recourse to avert disaster.

Rick Vanover is senior director of product strategy at Veeam Software.

Dave Russell is vice president of enterprise strategy at Veeam Software.

After the recent disclosure that a young airman leaked classified documents online, the federal government is once again dealing with the reality that bad actors inside and outside agencies are intent on sharing national secrets.

That fact alone is enough to keep security leaders up at night. Couple it with a less hostile but equally destructive ongoing threat, and you have a full-blown nightmare scenario.

This less-hostile threat is accidental leaks by internal personnel who have no malicious intent. They’re just going about their jobs, living their lives, accessing and potentially sharing information they shouldn’t, and carelessly placing their agencies and U.S. interests at risk.

Click the banner below to learn about the benefits of hybrid cloud environments.

Accidental Leaks: The Scope of the Problem

Human error is by far the biggest cause of data breaches across the public and private sectors. The World Economic Forum’s 2022 Global Risks Report traced 95 percent of cybersecurity issues to some form of human error. Verizon’s found that 82 percent of breaches that year resulted from human mistakes.

Accidental leaks have been a thorn in the side of governments worldwide for years. A British spy left secret Iraq and al-Qaida documents on a train, Australian classified documents were discovered in sold filing cabinets, and U.K. government counterterrorism tools were inadvertently leaked on Trello. In the U.S., the personal information of 191 million voters was posted online in 2015, and U.S. soldiers accidentally leaked nuclear secrets on flashcard apps.

The problem could get worse before it gets better. Data portability is growing exponentially, giving governments the ability to host data in a number of places and allowing for multidepartmental access across hybrid working environments. Increased virtual work can reduce the level of supervision organizations have over employee tech practices.

Increasing data in the cloud creates more portals for hackers to enter and take advantage of sloppy data handling. Such trends, combined with personnel’s lack of knowledge of cyber hygiene or operational security, make government data sources an exfiltrator’s dream.

Prevent Leaks by Moving to the Cloud and Zero Trust

The public and private sectors have many options for helping employees avoid letting information slip.

First, organizations can ensure they’re securing data in cloud and container environments. As organizations invest in the cloud, many fail to create networking and security frameworks that meet the rigorous standards they came to expect on-premises. If organizations don’t build cloud security models before implementation, it’s often too late to go back and set proper controls. This puts the organizations’ data at risk. It’s effectively like allowing a rogue actor to sit in the office with you, connected to your network.

Second, organizations can refine their policies concerning who has access to what data. Given the critical value of information, especially if it’s classified, organizations must establish zero-trust security models and role-based access control procedures built on the principle of least privilege.

Zero-trust security models force users to actively demonstrate that they can be trusted to access the information they seek. This means deploying tools that can identify known users based on passwords, login details or biometric data. The principle of least privilege narrows the funnel by allowing users to access only the tools, technologies and documents they’re authorized to use. If and when their roles change, the organization can modify users’ access privileges.

EXPLORE: Combat insider threats with advanced analytics.

Digital Hygiene and Other Best Practices to Boost Security

Third, organizations should take the issue of inadvertent leaks as a sign to improve staff digital hygiene practices. This includes regular rounds of education about cybersecurity practices and the need for appropriate data handling.

Organizations aren’t staffed top to bottom with security experts, so they must provide basic knowledge and delineate the appropriate actions to take when faced with an incident. They also must repeatedly test the effectiveness of their cybersecurity training programs.

Many organizations host security awareness trainings once or twice a year. This isn’t enough. Human firewall training should be continuous, and employees should receive updates and new briefings as threats arise.

Digital hygiene also involves tagging important digital assets. Insight into which assets are critical to an organization and how to effectively protect them is vital in creating a successful cybersecurity response plan.

Other best practices include the following:

Configuring multifactor authentication to ensure additional account security
Using a robust password policy and an account lockout policy
Removing unused devices, applications, departed employee accounts, and nonessential programs and utilities
Turning off internet access, ports and other connectivity when not needed
Ensuring all in-use software, hardware and firmware are running up-to-date software through patch management

Governments and private organizations are under attack. Rogue actors are getting more creative and more knowledgeable every year, forcing organizations to do more to protect vital assets from falling into the wrong hands.

While protective tactics should focus on hostile threats, they should extend to nonhostile threats as well, because inadvertent information sharing also can put organizations at risk.

DISCOVER: Strengthen your security with cost-effective training.

Frazao Studio Latino/Getty Images