Security breaches of enterprises such as Target and Experian are big news. But every day, there are security incidents and breaches of smaller companies and organizations all over the planet. The U.S. government itself is certainly not immune. In 2016 alone, “government agencies reported 30,899 information-security incidents, 16 of which met the threshold of being a major incident.
In March and April, WikiLeaks released what it claimed to be a list of CIA hacking tools. According to investigation reports, it was able to get what it called “Vault 7” while this information passed from government employees to outside contractors in a way that was “unauthorized.”
The hacking tool known as “EternalBlue” was stolen from the NSA and used by a group known as Shadow Brokers to attack over 150 countries. When it did not receive its ransom demand for 1 million Bitcoins, it released the tool.
The IRS data retrieval tool for student loan applications was breached as early as fall, 2016 and continued into 2017, until it was discovered and the tool turned off. As many as 100,000 possibly had their taxpayer information compromised. The hackers also filled out 8,000 loan applications and stole $30 million from the government.
And in 2017, 21 states were notified by the Department of Homeland Security that their electoral systems were the target of Russian hacking during the 2016 election.
The most common cause
A study conducted by PricewaterhouseCoopers showed that most breaches, corporate or government, occur not by overt attempts of hackers and nation states, but, rather, because of current or former employees not following very basic rules of cybersecurity. They are either not aware of the key threats or they choose to ignore them.
This is a matter of education and training and keeping a much closer eye on what employees are doing on their work computers and devices that create risk.
For both IT and regular employees, here are six basic rules of cybersecurity that should be followed:
IT administrators are often lax about software and apps updates and deleting the ones no longer in use. While software providers work hard to patch vulnerabilities, using outdated versions leave an organization vulnerable. And keeping no-longer-in -use software and apps provides an entry point for hackers, because that software is still communicating in the background with any number of servers
Emails from unknown sources. This is one of the big issues when employees use their work computers to access their personal email accounts. A lot of phishing occurs here, especially with hackers posing as well-known individuals or institutions. Once those emails are opened, and users begin to follow instructions for downloads, etc., the hackers are in. The most critical defense is to never use a work computer to access personal email. Employees should only use their personal devices (phones, tablets, etc.) to access their email accounts. While this is standard policy among all government agencies, the sheer number of employees means that a percentage will not adhere to such a policy.
The solution lies in a couple of steps. First, IT administrators must set up monitoring systems, so that they are alerted when the policy is broken by any employee. Consequences must be swift and tough, including termination. Examples must be set. Second, each agency has a specific browser and email server. All others should be blocked, so that employees cannot access their personal email accounts. This preventive measure takes any temptation away, and then no one has to deal with the aftermath of breaches.
Personal information revealed on social media. This is a huge problem. When federal employees work for agencies that handle highly sensitive material and data, they should never reveal their employment details on their social media profiles. A Facebook profile that provides name, birthdate and specific federal employment information provides hackers with a vulnerability that they can use to take advantage of that person.
Solutions are really no-brainers. All social media platforms should be blocked on work computers and devices. And employees must be instructed regarding how they list their employment on their personal social media accounts. Again, breaches of this policy must come with severe consequences.
Work mobile devices are not for personal use — ever. Federal employees who work “in the field” are often provided with mobile devices. These devices have built-in security. When employees decide to use them for their personal activities, those security measures can break down. Once a hacker is “in” that device becomes a doorway to access information and data.
Scientific and research paper writing should never be housed on a personal device or account. Employees who are involved in critical and often highly sensitive research must ensure that their work product is fully secure. Using personal devices to save such research and writing is never a good practice.
Reporting any suspicious activity. This is a matter for education and training. All federal employees should be trained to pick up on any suspicious-looking activity and the means for reporting such activity immediately. If this had happened with the IRS data retrieval issue, taxpayer information breaches would have been far less in number, and the government could have saved $30 million. A closer look at those loan applications might have revealed this breach much sooner.
Using common sense and reacting to gut feelings
We have all, in our personal use of the internet, social media and email, come across activity that just seems suspicious. We are asked to click links, to provide personal information and are even presented with websites and logos that appear to be the “real thing.” While consumers are continually warned about this type of activity, some still fail to be vigilant. Federal employees are no different than most consumers.
When employees receive communications via their work or personal computers — communications that appear legitimate but that have requests for sensitive information — they must be trained to question everything. If it doesn’t “feel” right, then it probably is not. It is time to check with a supervisor who can determine the legitimacy of such a communication. Far better to be slow in responding than to respond and cause a security breach.
Most cybersecurity threats rely on human error or ignorance. When employees do not take cyber threats seriously, they are lax about their online activity, particularly using work computers for personal activities or for communicating sensitive information with contractors and other agencies via unsecured means.
The challenge for IT administrators is to monitor the online activities of employees while they are on work computers and devices. While this may seem to be an “invasion of privacy,” it really is not. Work computers are for job-related tasks only, and federal agencies have been far too lax about the use of PCs for personal activity. This is something that must be driven home with employees, and there can be no tolerance for personal use.
As for mobile devices that are government issued for government business, there should be a no-tolerance policy as well, and all non-work sites/browsers must be blocked. Any employee using such a device for personal purposes must be disciplined quickly and severely. This is not an era in which potential security hacks can be tolerated.
Employees must be trained to question any activity that seems out of the ordinary. If this means inconveniencing any number of people, so be it. Security has to trump everything else.
No research activity, data gathering, or scientific reports should ever be saved or shared via unsecure means. These all belong to the agency for which these activities are commissioned and conducted, not to the individuals conducting such activities. Work product from work time is not personally owned.
A tightening of rules is imperative, given the sophisticated measures that hackers now use to infiltrate government agency computer systems. And employees need to understand their liability when breaches occur. Following the “rules” will go a long way in the prevention of attacks.
Amanda Sparks is a writer, researcher and blogger from Atlanta, Georgia.