Accidental Leaks: The Scope of the Problem
Human error is by far the biggest cause of data breaches across the public and private sectors. The World Economic Forum’s 2022 Global Risks Report traced 95 percent of cybersecurity issues to some form of human error. Verizon’s found that 82 percent of breaches that year resulted from human mistakes.
Accidental leaks have been a thorn in the side of governments worldwide for years. A British spy left secret Iraq and al-Qaida documents on a train, Australian classified documents were discovered in sold filing cabinets, and U.K. government counterterrorism tools were inadvertently leaked on Trello. In the U.S., the personal information of 191 million voters was posted online in 2015, and U.S. soldiers accidentally leaked nuclear secrets on flashcard apps.
The problem could get worse before it gets better. Data portability is growing exponentially, giving governments the ability to host data in a number of places and allowing for multidepartmental access across hybrid working environments. Increased virtual work can reduce the level of supervision organizations have over employee tech practices.
Increasing data in the cloud creates more portals for hackers to enter and take advantage of sloppy data handling. Such trends, combined with personnel’s lack of knowledge of cyber hygiene or operational security, make government data sources an exfiltrator’s dream.
Prevent Leaks by Moving to the Cloud and Zero Trust
The public and private sectors have many options for helping employees avoid letting information slip.
First, organizations can ensure they’re securing data in cloud and container environments. As organizations invest in the cloud, many fail to create networking and security frameworks that meet the rigorous standards they came to expect on-premises. If organizations don’t build cloud security models before implementation, it’s often too late to go back and set proper controls. This puts the organizations’ data at risk. It’s effectively like allowing a rogue actor to sit in the office with you, connected to your network.
Second, organizations can refine their policies concerning who has access to what data. Given the critical value of information, especially if it’s classified, organizations must establish zero-trust security models and role-based access control procedures built on the principle of least privilege.
Zero-trust security models force users to actively demonstrate that they can be trusted to access the information they seek. This means deploying tools that can identify known users based on passwords, login details or biometric data. The principle of least privilege narrows the funnel by allowing users to access only the tools, technologies and documents they’re authorized to use. If and when their roles change, the organization can modify users’ access privileges.
Digital Hygiene and Other Best Practices to Boost Security
Third, organizations should take the issue of inadvertent leaks as a sign to improve staff digital hygiene practices. This includes regular rounds of education about cybersecurity practices and the need for appropriate data handling.
Organizations aren’t staffed top to bottom with security experts, so they must provide basic knowledge and delineate the appropriate actions to take when faced with an incident. They also must repeatedly test the effectiveness of their cybersecurity training programs.
Many organizations host security awareness trainings once or twice a year. This isn’t enough. Human firewall training should be continuous, and employees should receive updates and new briefings as threats arise.
Digital hygiene also involves tagging important digital assets. Insight into which assets are critical to an organization and how to effectively protect them is vital in creating a successful cybersecurity response plan.
Other best practices include the following:
- Configuring multifactor authentication to ensure additional account security
- Using a robust password policy and an account lockout policy
- Removing unused devices, applications, departed employee accounts, and nonessential programs and utilities
- Turning off internet access, ports and other connectivity when not needed
- Ensuring all in-use software, hardware and firmware are running up-to-date software through patch management
Governments and private organizations are under attack. Rogue actors are getting more creative and more knowledgeable every year, forcing organizations to do more to protect vital assets from falling into the wrong hands.
While protective tactics should focus on hostile threats, they should extend to nonhostile threats as well, because inadvertent information sharing also can put organizations at risk.