What the FDIC Breach Teaches Us About Basic Security Practices
Last week’s breaking news from the Federal Times that the Federal Deposit Insurance Corporation (FDIC) had failed to report a data breach to Congress reads like a bad comedy. Based on the report, an employee left the agency for a private sector role and had copied banking records, as well as some 10,000 social security numbers to a personal hard drive.
The FDIC's Chief Information Officer dubbed the data download breach as 'inadvertent.' The agency didn’t believe that this was a “major” breach as the employee wasn’t disgruntled, was in the process of getting divorced, didn’t understand that the technology and the FDIC was able to obtain the USB drive from the former employee. But if my social security number or other identifiable information (PII) were exposed, I'd surely call this major.
Employees walking off with documents “accidentally” because they don’t know how to use IT systems properly.
It’s simply no longer a good excuse. Companies put all sorts of sensitive stuff into SharePoint and for obvious reasons. It allows them to give those with a need to access that content a means to find it quickly and easily. This isn’t the first time we’ve heard of the classic insider threat. While the FDIC may have considered this 'inadvertent' breach, knowledge workers are leaving their organization's most sensitive business data exposed, largely as a result of not knowing – or forgetting – basic security practices.
While the user was the one who caused the alarm, PII isn’t simply a user responsibility. IT teams need to do better control which users have access, to what information, for what purposes and for how long. Put simply: organizations need a governance strategy to guide the use of any enterprise collaboration system. Good governance is the backbone of good security.
It’s clear that the FDIC lacked a real-time monitoring tool on its file shares or SharePoint. While auditing is a valuable tool in assessing vulnerabilities in any organization’s management of PII, the volume, speed and harm that major breaches can cause means that auditing is quickly becoming a waypoint activity in doing an initial determination of a fault and periodically assessing if infrastructure and procedures are meeting the goals.
Of course, it doesn’t have to be this way. If FDIC had used ControlPoint within its SharePoint environment, an admin would be immediately alerted if a user had downloaded 10,000 social security numbers or certain bank records. And such a clear breach would have shut the user out of Active Directory.
Breaches that result from an over-exposure of sensitive data are almost always preventable. IT teams need to recognize they have a problem before Congress knocks on their door in one of two ways: a request to face a Congressional panel or more rigid laws on how the federal government secures PII.