The recently reported data breach that affected 240,000 Department of Homeland Security employees is a harsh reminder that the people inside an organization are the greatest threat to data security. While hackers, ransomware and other misdeeds make headlines, it is important to remember that trusted insiders account for 100 percent of all breaches: Someone either did something, or neglected to do something, and that allowed a breach to occur. The DHS breach is no different.
Unlike popularized hacker and ransomware attacks, the DHS breach was not committed by outsiders. A former employee is under investigation for having an unauthorized copy of the DHS Case Management System database in their possession.
The DHS breach also reminds us about the broad reach that compromised data can have: it affected current and former employees, as well as subjects, witnesses, and complainants associated with DHS Office of Inspector General investigations from 2002 through 2014.
Investigators say the personal information of affected individuals was apparently not the primary objective of the data exfiltration, but such assurances ring hollow. The impacts are the same, and bring consequences that even organizations as large as the DHS can ill afford: investigations, negative publicity, and hard costs to notify affected individuals and provide remediation. And few affected individuals can easily afford the burden of costs, inconveniences, and uncertainties that result from a data breach.
The DHS breach is yet another reminder of how essential it is that everybody within an organization be fairly and adequately vetted, and that they take mandatory, extensive training regarding data protection, privacy, and related issues. All too often, though, organizations that promise to “respect your privacy” gamble with data.
Executives who often have an inadequate understanding of the technology, law and risks are sometimes quick to deny funding for data protection training, and justify it as a ‘cost saving’ measure. Other organizations develop or purchase training courses that are designed to provide ‘high level’ information but offer little substantive guidance. On the positive side, however, such training takes very little time to deliver — making it very attractive to decision-makers who justify their choice by insisting that online training will be ignored if it can’t be delivered in segments of less than twenty minutes.
The continued increase in ransomware attacks — which are predicted to be “the most dangerous threat to businesses and organizations worldwide” — makes training and awareness even more critical than in the past.
Knowing what to look for is important to avoid being taken by authentic-looking emails, and is a reminder that the old adage ‘better safe than sorry’ really is meaningful.
- Watch for emails that demand urgent attention, contain misspellings, those that contain key words such as kindly, verify, validate, important, and urgent, and those that include warnings or require account verification, or implore readers to open attachments or sign on to read a document.
- Ensure all employees know how — and invest the few seconds it takes — to hover a cursor over an embedded link to reveal the true destination.
- Be certain that everybody in the organization knows that they ought to be cautious and call the supposed sender of any email that asks for large sums of money to be paid out, even if it purports to be from a regular supplier or vendor. Remind them that nobody will face retribution for questioning authority.
A few moments to increase awareness and take simple precautionary measures are an important investment in data protection that every organization ought to afford.