What the FDIC Data Breach Can Teach Us about Data Governance
In October of 2015, an employee of the Federal Deposit Insurance Corporation (FDIC) walked out with sensitive information stored on a portable drive on their last day of work. This included Payment Card Industry (PCI) data with loan and banking information for 44,000 accounts, and Personally Identifiable Information (PII) with as many as 10,000 social security numbers.
The FDIC took its time to investigate and claimed it was not a malicious attack, indicating that the data was not publicly released. While FDIC stands by its former employee’s promise under oath that no data was shared before returning it to the organization, a recent Congressional committee questioned whether agency officials misrepresented the employee’s intent by claiming it was an “inadvertent breach.” Intentional or unintentional, the incident raises some important questions around the threat of insider breaches.
Is This a Trend?
Studies have consistently shown organizations expect an employee data breach like what happened at the FDIC:
- In January 2011, The Society of Corporate Compliance and Ethics in conjunction with the Health Care Compliance Association conducted a survey of 518 compliance officers to identify organizations’ assessment of cyber risk. The study confirmed that organizations worry more about accidental breaches than they do intentional breaches. In fact, when it comes to breaches by employees, 61 percent of compliance officers thought an accidental breach was likely, compared to just 30 percent that thought an intentional breach by employees was likely. Similarly, 41 percent thought an accidental breach by a third party vendor was likely compared to 13 percent that thought the same of an intentional breach.
- Most modern collaboration applications make it far too easy for customers to over-share information and create potential governance violations. For example, in the latest version of Microsoft Office, using the “share” and “edit” features to collaborate on a document now adds the user you select to the “members” group on your site by default. That user can then choose to share the file with any of their contacts, and so on.
- In the 2016 Verizon Data Breach report, which considered over 100,000 security incidents, human error accounted for the majority of all threatening actions. Some of the top mistakes include using weak, default or stolen passwords (63 percent), opening phishing messages (30 percent) and mistakenly sending sensitive information to the wrong person (26 percent). And a new report by PwC indicates that as many as 90 percent of enterprise accounts have been hit with security breaches. Many of the breaches that we’ve heard about fall directly into the insider category.
Organizations must implement a strategic, well-maintained governance policy to avoid these issues. Without one, such mistakes can result in an ITAR Violation, which applies to any U.S. government department that exports defense related technology in an effort to ensure it doesn’t get into the wrong hands, and a fine of upwards of $75 million.
What Remedies Exist?
What could the FDIC have done to prevent this type of insider breach? What can other companies do to safeguard against these intentional or accidental breaches? A few key technologies exist to assist organizations in mitigating this type of risk. One strategy is to implement USB and device blocking at possible data endpoints. This will prevent employees from copying sensitive data onto a portable drive. IT can also set up warnings of suspicious activity, such as large-scale requests for data access or downloads.
Along those lines, organizations should – if they haven’t already – put access policies in place to make sure only the right information workers have access to sensitive data. The danger often lies in the fact that employees, like the one from the FDIC, have full access to the data they’re downloading. Platforms like cloud-access-security brokers or Microsoft’s advanced security management in Office 365 alert against suspicious behavior by authorized users, but there is still a substantial amount of data that can be obtained before these accounts are locked out. The focus needs to be on effective governance, permissions management and policy enforcement from the start across your most sensitive systems.
What Does the Future Hold?
To solve some of the major issues associated with inadvertent data breaches, the federal government has funded new programs and created better standards, including:
- Promoting awareness and adoption of National Institute of Standards and Technology (NIST) standards
- Privacy Impact Assessments (PIAs) to help organizations understand which systems hold the most sensitive data, which can be automated with free tools available through organizations like the International Association of Privacy Professionals (IAPP)
- Encouraging “Cybersecurity Sprints” to fix critical issues, patch vulnerabilities, and limit access
Beyond abiding by government regulations and standards, organizations should also self-govern. Most Chief Information Security Officers (CISO) are tempted to do so by using technology to solve the problem of data exfiltration and not the root of the issue. But the data breaches that require reporting under federal laws, and ones that generally make the headlines, all have to do with the volume of data that is exposed to end users. Trying to focus on how data leaves is focusing on just the tip of the iceberg.
So while they may be tempted only to think about how data leaves, including the monitoring and tracking of logs, organizations need to remember to examine their governance policies. This is the core behind Data Centric Audit and Protection (DCAP) technology: having a single platform that enables you to map classifications to governance controls and report on how effectively you’re securing your more sensitive data.
By implementing a few key IT security tools as well as a comprehensive governance program, organizations can greatly reduce the risk of data breaches – both intentional and unintentional.
About the Author
John Hodges is Vice President of Product Strategy at AvePoint, focusing on developing compliance solutions that address modern data privacy, classification and data protection needs for organizations worldwide. Throughout his eight years at AvePoint, John has worked directly with the company’s product management and research & development teams to cultivate creative ideas and bridge the gap between sales and technology – providing a practical target for innovation and a focused message for sales and marketing. John has been actively engaged in the SharePoint community for several years, working with many Fortune 500 companies to drive sustainable adoption of Microsoft technology and optimize SharePoint’s larger purpose-built implementations. John’s insights and opinions on modern Information Technology can be found in various industry publications, as well as throughout his numerous speaking sessions in webinars and at events worldwide.
Edited by Alicia Young