6 Ways Government Agencies Can Prevent Internal Data Breaches
Hackers love government data. Beyond the fact that different nations and political entities are willing to pay for it, the right records can be a goldmine for identity thieves. While some thieves break into mailboxes or email accounts, compromising government databases can deliver a huge list of prospects in one fell swoop.
What’s the difference between internal and external security breaches?
Although there are a multitude of security breach methods out there, they’re often categorized into “external” (i.e. initiated by an outside actor like a hacker or fraudster) and “internal” (perpetuated or assisted by staff – either on purpose or by mistake) groups.
If an employee falls for a phishing email (like an instance of executive fraud), that’s considered an external breach. If an employee deliberately steals data, sells their access, or accidentally exposes or discloses confidential data outside the organization, that would be considered an internal breach – the employee either perpetrated the crime or accidentally provided the inciting opportunity.
How big of a problem are internal breaches?
While they don’t necessarily make the news as often as high-profile external breaches carried out by hacking collectives or foreign governments, internal breaches are a very big problem within a wide variety of industries handling electronic records.
It has been reported that 58% of all healthcare breaches are initiated by insiders, and internal government breaches have led to massive amounts of records being compromised.
In 2015, the Georgia Secretary of State’s office accidentally mailed twelve CDs containing the birthdays, driver’s license numbers, and social security numbers of the entire electorate of the state of Georgia (about 6.1 million people). Dubbed “PeachBreach,” this was a major scandal for the Secretary of State. While only 12 copies of the CD were mailed and all recipients signed affidavits saying they had destroyed and/or returned the disks without copying their content…once that horse is out of the barn it can be very hard to put it back in.
No malicious actors were involved, it was a simple failure to communicate (and some poor internal access controls) that lead to a staffer getting what they thought was the usual list with a bunch of extra private data included.
The cost to the state? Possibly over $1.5 million in audits and credit monitoring.
While it’s (thankfully) becoming less and less likely for sensitive information to be physically mailed about, this file could just have easily been emailed to the wrong people. Human beings make mistakes. Some human beings do bad things. When individuals have this much access to sensitive information in a digital format that can easily be copied, deleted, or distributed, that represents a huge risk.
How agencies can protect against internal breaches
1. Establish controlled strata of access
Whether they do it intentionally or accidentally, it’s a simple truth that employees can only release information they have.
Establishing levels of secured access to files, with staff members only being able to get to what they actually need to do their jobs, can dramatically reduce your organization’s exposure in the event that they make a mistake or their credentials are compromised.
In the case of PeachBreach, the staffer making the CDs had no need to access that sensitive information. They accidentally grabbed an unusual copy of the file (with it included) that’d been created for someone else’s project. If they’d been locked out of the file, there wouldn’t have been a question of them noticing that something was different. It would have been impossible for them to make the mistake.
2. Increase security training and culture
While security training is commonly associated with protecting against outside threats (viruses, social engineering, phishing), there are some ways it can help against internal breaches. The most obvious one is encouraging a protective stance towards agency property whenever it leaves the facility.
It’s also helpful to foster a “See something? Say something!” culture encouraging staff to report their concerns. Whether someone is deliberately breaking rules or simply making a mistake, the problem is infinitely easier to solve if caught before private information actually leaves the agency’s sphere of control. It’s essential to replace the perception of this as “tattling” with an understanding that warning about problems protects innocent citizens, taxpayer dollars, and the agency’s reputation.
3. Introduce effective recordkeeping
Knowing who accessed what, when, is not just good policy to make further audits easier and track down issues in hindsight, it can also serve as an additional deterrent against internal breaches. When employees know that their interactions with sensitive materials are monitored, they’re less likely to take a peek when they’re not supposed to (out of curiosity) or download files they shouldn’t.
The best secure document exchange solutions automatically record everything they do. If your employees use them for all transfers of sensitive information, it’ll make regulatory compliance far easier (and easier to prove).
4. Enable 2-factor authentication
2-Factor Authentication (2FA) refers to requiring two independent sources of identification to access something, most often a server, file, webstore, or service. In addition to a password, the user has to prove that they are in control of another linked & authorized account or device providing a supplemental temporary passcode, pin, etc.
2FA isn’t just powerful additional security against outside threats; when used in document exchange solutions it can help reduce the risk of accidental breaches through miss-addressed messages. If the file goes to the wrong person, but the verification goes to the right person (or visa-versa), the wrong person can’t access the information. We all make mistakes when addressing emails, those mistakes shouldn’t lead to breaches.
5. Prevent physical storage leaving the premises
Rather than letting staff hand-carry sensitive files outside of the office, require them to log in to a central storage hub that the IT department has complete, physical control over.
If files are being accessed remotely rather than stored remotely, that access can be cut. If someone steals a hard drive, you have to find the drive, plus ensure that they didn’t make copies before you caught them. If someone steals a laptop that’s only being used as a workstation to access files on internal servers, that laptop’s access can be cut at any time (ideally as soon as the theft is discovered), preventing exposure.
6. Streamline security protocols to encourage compliance
The best security protocols in the universe won’t do you any good if staff refuse to use them. It’s important that security solutions be intuitively designed and easy, because employees will go around them if they aren’t.
A 2019 study by YouGov and DTEX Systems indicates that when it comes to security guidelines, perception of importance does not translate to adoption. While 75% of workers surveyed agreed that encrypted file exchange was important, only 16% had used such a system in the last 60 days. 2-Factor Authentication had a similar issue (69% agree it is important, only 30% used it).
Cutting Edge Secure Document Exchange Solutions
Your organization has access to citizens’ most private and powerful information, but protecting against outside threats only solves part of the problem. Implementing a cutting-edge secure file exchange solution can go a long way towards reducing your risk. XM SendSecure delivers strong encryption, tight 2FA-backed access controls, and allows the sender to cut off access to files at any time. The solution is designed to be intuitive, fast, and easy to use. It has also been built from the ground up with regulatory compliance requirements in mind (HIPAA, FERPA, SOX, GDPR, etc.).
Because XM SendSecure utilizes ephemeral storage for transfers, files can be set to delete themselves after download or a set period of time. This means that there aren’t copies created that bad actors can stumble across later (when they’re no longer being actively accounted for by staff).
Learn how this solution can streamline workflows while making them more secure against both internal breaches (intentional or accidental) and outside threats.