Forty-five percent of Federal agencies reported that they were the target during the past year of a digital insider — an employee with authorized network access who knowingly steals or unwittingly exposes sensitive data. And at least a third of those agencies reported suffering an actual loss of data, according to a new survey by MeriTalk.
The report, Inside Job: Federal Insider Threat Report, surveyed 150 Federal IT managers from across civilian, defense and intelligence agencies. And while the statistics surrounding the number of agencies reporting insider incidents is not new, the lack of data monitoring and employee training uncovered by the survey raises significant questions about the pace of Federal efforts to deal effectively with both malicious and unintentional insider threats to sensitive data.
As many as 40 percent of agencies said they could not tell when or how documents were being shared, or even when a loss occurred. In other words, agencies still don’t know where their data resides and who has access to it. Likewise, another 43 percent said their agencies had not yet properly identified and classified their data repositories. Combine these statistics with the large percentage of IT managers (51 percent) who report it is common for Federal employees and contractors not to follow appropriate security protocols when handling electronic data and you have a perfect storm of insider threats.
I know a few things about the evolution of the insider threat. In addition to having served as an intelligence officer in the military, I researched and wrote a book in 2005 that detailed how organizations of all sizes fall victim to insider spies and inadvertently leak volumes of sensitive information. That research leveraged unprecedented access to real-time data loss analytics from some of the largest government agencies and companies in the nation. What makes what I learned a decade ago so important and relevant to the latest findings of the MeriTalk survey is the apparent lack of significant progress made during that time to tackle the basic, foundational aspects of insider threat detection and prevention: knowing what data you have, what data you need to protect, where that data is and who has access to it.
Based on the results of the latest MeriTalk survey, what I watched happening in real-time a decade ago is still happening today throughout a large portion of the Federal government. This was the real-time threat picture in 2005 based on the 48-hour risk assessments to which I had access:
In the banking and finance sector, a Fortune 400 financial services firm watched as the private data of 200 of its customers was communicated to a private Hotmail e-mail account. That same firm also witnessed thousands of pieces of proprietary customer data leave its network unencrypted and a potential leak of a decision to downgrade a publicly traded stock.
In the high-tech sector, executives at a Fortune 100 technology developer were shocked to learn that proprietary engineering documents were sent to a competitor. Subsequent forensic investigation revealed it was the work of an insider who was seeking a new job.
A government healthcare organization discovered an employee had leaked military casualty reports to the press. Another such healthcare institution, where the private data of senior government officials is known to be stored, confirmed more than 2,000 violations of the Health Insurance Portability and Accountability Act (HIPAA) in just 48 hours.
Why are these examples important? They’re important because they represent basic security policy violations that have not been addressed adequately in more than a decade. In the latest MeriTalk survey, 65 percent of Federal IT managers said it is “common” for employees and contractors to email work documents to personal web mail accounts. Less than half said their agencies have deployed data loss prevention technologies and a paltry 10 percent said they have plans to do so in the next two years.
If you still don’t believe these latest findings are cause for concern, just ask former NSA system administrator Edward Snowden how easy it was to download and exfiltrate tens of thousands of documents from what was supposed to be the most secure agency in the world. Or ask former FBI agent and convicted spy Robert Phillip Hanssen how easy it was to search through FBI investigations for his own name and remain undetected.
The bottom line is that while government-wide goals and awareness are important, the basics of policy enforcement still matter.