Over the last several months, the personal banking data of around 160,000 individuals has been removed from the Federal Deposit Insurance Corp. (FDIC) by employees leaving the agency. These breaches occurred in at least seven separate incidents when departing employees copied their own personal information to removable thumb drives, and, according to FDIC, inadvertently copied customer banking data at the same time.
So what can we take away from this story to ensure that history does not repeat itself?
First and foremost, continuous and ongoing employee education is imperative. This education cannot be a once-a-year training course, but rather it must be pervasive throughout your company culture. In the absence of security education or experience, people (employees, users, and customers) naturally make poor security decisions with technology. This means that systems need to be easy to use securely and difficult to use insecurely.
This is a critical point — and probably one of the single largest opportunities for security programs to be revamped. Make it easier for your end users to do the right thing, rather than inadvertently and unknowingly do the wrong thing.
Understand the Data That Your Agency Holds
Every organization has sensitive data, including customer information, employee records, intellectual property, and medical records. In order to appropriately protect it, you must understand the lifecycle of data in your business. Determining what the data is; how it is being created or collected; how it is maintained, stored, and shared while it is being used; and how it should be disposed are key when implementing better practices that will protect these valuable assets.
Once security practitioners have an understanding of the original source of the data, they can best decide where it should live, with whom it can be shared, how it can be accessed and how it should be destroyed.
Delineate Between Work-Related and Personal Data
As illustrated most painfully by the breaches at FDIC, employee personal data or non-work related data, should not be mingled with official/work-related or customer data. While it may not be realistic to entirely prohibit employees from interacting with some kind of their own personal information during working hours, it is realistic to delineate that data, store it separately, and prevent employees from co-mingling work and personal data on work machines.
This of course becomes particularly challenging when employees use their own devices to do their jobs, or work in remote offices. However, this was not the case at FDIC. In order to determine the best controls to protect your data, you need to understand the data in context.
Reduce Data Hoarding
While most data should have some sort of end to its lifecycle, some enterprises are guilty of data hoarding. Data maintained on company or agency systems should be kept for reasonable business purposes, then archived or deleted. As long as you have the data, you have to protect it. Data hoarding results in a significant data problem for the enterprise, because the more you have, the greater your risk of someone with malicious intent targeting your enterprise. It also means you will spend more time protecting data that no longer holds its original value to your organization.
Considering “a day in the life of a document” is a good practice that will help you to classify your data and understand where it goes, who has access to it, and how long it should be there.
Create a Culture of Compliance
One classic problem that has led to many breaches is the assumption that someone else is responsible for protecting data at different stages of its existence. Security and data protection is not just the job of your CISO and chief privacy officer. It is everyone’s responsibility every day. If security practitioners get a good sense of what the business is doing today and know how users are interacting with data as part of their jobs, they can better determine security policies. Thinking about what kind of responsibility your users can have and how technology can help will drive better security practices.
At FDIC, three simple things could have helped to prevent these data breaches from happening:
- A policy (that is enforced) stating that when an employee is exiting his or her job, the data being removed should be reviewed and approved before that employee leaves the company.
- A policy (that is enforced) stating that once an employee is exiting a job, his or her access to systems with customer data on them should be limited and supervised.
- A policy (that is enforced) that requires all company data to be scanned, tagged, and classified so that it cannot possibly be intermingled with and/or inadvertently removed from a company system by a departing employee.
By tagging and classifying corporate data, organizations can then effectively layer in other security and data protection controls. These controls would then direct and contain data within appropriate systems, and identity management and access controls.
Using a combined or layered approach to data classification, identity management and access controls, and context-aware data loss prevention systems can ensure that the policies, training, and tools you are providing are being properly understood and integrated into the day-to-day tasks of your workforce. Security and data protection is a “team sport” in which every employee is a player. This is the lesson that everyone can take away from the FDIC breach to help prevent their organization from becoming tomorrow’s headline story.