Anticipating an employee-caused data breach can be incredibly difficult. However, there are several areas in which agencies can improve:
Assess the risk. Discovering and prioritizing possible vulnerabilities in the storage and transferring of sensitive data is a critical first step. To start, ask four questions about your agency:
-- How do your employees typically send and receive confidential files?
-- What's your agency's common practice for accessing mobile information?
-- If the agency has experienced previous incidents, what were the causes?
-- Do you have well-documented policies in place that teach staff which file transfer methods are okay, and which are risky?
Regularly review regulatory compliance requirements. The Federal Information Security Management Act (FISMA) requires agency officials to audit data security initiatives and report results annually. However, at the rate that technology evolves, IT should regularly determine the status of agency compliance, particularly if employees' routine actions meet regulatory requirements.
Secure and manage data in motion. Data that is being transferred from one source to another has a particularly high risk of being lost, stolen, or otherwise compromised -- especially in the case of internal breaches and the potential for human error. IT must implement systems that can effectively secure and manage data in motion. Transparency is also important. You need visibility into what was sent, how it was sent, to whom it was sent, and who accessed it.
Educate agency employees. Inside jobs with malicious intent do occur, but in reality many incidents are the result of accidents. Mitigate the risk at the source by educating agency employees on compliance issues and poor data-handling practices, such as third-party storage, insecure email and unapproved devices.
Tightening the security perimeter will always be a top priority for federal IT professionals. But as agencies invest to keep the bad guys out, it's equally important to consider the people who are already in.