Cybersecurity

Beware of the self-inflicted data breach

keyhole digital

While government agencies invest in protecting themselves from external cyber threats, a Verizon report to be published April 23 warns that many data breaches are self-inflicted.

Of the over 63,000 cyber incidents across public and private industries that Verizon studied for its 2014 Data Breach Investigations Report, more than a quarter were due to miscellaneous errors such as accidental online publishing or sending an email to the wrong recipient. As the country’s largest employer and a gatekeeper of untold amounts of data on employees and constituents, the federal government is prone to sending non-public information to the wrong person, the report found.

Agencies might be aware of the problem “on a micro-scale, but they don’t know how big the problem really is,” said Chris Porter, managing principal of the Verizon Cyber Intelligence Center and co-author of the report.

Installing data loss prevention software and instituting “a blanket prohibition against storing un-redacted documents on a file server that also has a Web server running” are two ways that organizations can guard against unintentional disclosures of sensitive data, the report said.

The number of organizations contributing data to the annual report has risen sharply in the last few years, from five in 2012 to 18 organizations last year, and now 50 organizations in 2014, Porter said. U.S. government and government-related organizations that contributed data this year included the Department of Homeland Security, the Electricity Sector Information Sharing and Analysis Center, and the Secret Service.

Verizon decided to expand the scope of the report significantly this year by including data from cyber “incidents,” or whenever a system was threatened, and not just when an actual theft occurred. As organizations shared their security data for the report, “we realized that they had a lot more data than just confirmed data breaches, and that there was a lot for us to learn from focusing on other types of incidents as well,” Porter added.

There is still a need for detailed studies of how individual cyber breaches occur, he argued. While public disclosure laws often require organizations to tell their customers about a breach, “the one thing that we don’t learn about any of these events is how they happened,” he said.

The National Transportation Safety Board thoroughly investigates every plane crash and delivers a post-mortem report so airlines can avoid the same mistakes, Porter said. Why can’t the security industry be the same way?

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.