Semper Fidelis is the U.S. Marines’ motto – “always faithful.” Perhaps an ironic twist of phrase in the context of its recent and preventable data breach. Let’s recap. The Marine Forces Reserve recently announced that personal information of over 21,000 Marines, sailors, and civilians were “compromised.” The PI included social security numbers, bank account and routing numbers, card information, name, address and other contact information. In other words, PI which is a treasure trove for identity thieves. Some of the PI may have been redacted in part. How did this breach occur? The culprit was an e-mail incorrectly sent with an unencrypted attachment. The email was sent out by the Defense Travel System which manages travel itineraries and expense reimbursement. Obviously sensitive location information is also in play. Probably not a big thing for a travelling salesperson, but highly problematic for defense sector travel.
This is clearly not the biggest breach and barely made a blip in data security news, but it is all too common and avoidable. So we (again) endeavor to point out some simple things employers and employees can and must do to prevent data breaches.
Recently released surveys continue to point out the high frequency of breaches caused by “employee mistake” – meaning breaches caused completely by internal, non-malicious actions. This is the second most prevalent cause of data breaches. While we have seen some progress in this regard (employee mistake was the #1 cause of breaches until a few years ago), we can do much more to significantly reduce incidents in this area.
This breach lays bear some truths about the limits of technological, managerial, and administrative safeguards. Presumably the sender had appropriate access to and need for the PI and sending the PI was in furtherance of a legitimate job function. Further, the information was sent to legitimate (if erroneous) emails. Controls can only eliminate/restrict sending email to certain domains; controls cannot insure the recipient is correct. Finally, at this point, there are limited technological controls (at least economically feasible methods) for determining if PI exists in an attachment insuring the sender intended the PI be sent. The best defense to this breach was making sure the sender had the correct recipient list and the PI-laced attachment was encrypted. Had either been done, the breach would likely have not occurred.
So we are back to rigorous employee education and training of known issues and threats (supplement when new threats emerge), providing easy to understand and accessible best practices, and making support readily available for questions, concerns or help. Proper use of email and encryption is a start to alleviating employee mistakes. Here are some others: Logoff devices when not in use; use complex and unique passwords; avoid using public wi-fi; avoid transferring data among devices (even if all devices are approved); hold portable media close; appropriately secure and dispose of PI in physical form; test employees on what they have been taught and educate them on what they may not have understood (discipline if necessary at some point). Honest mistakes will still be made – we are human. However, we can reduce (substantially) these mistakes with a bit of employer effort combined with employees attuned to the task.
There is a second front in this battle – hackers infiltrating through employees, primarily by email. Phishing, spoofing, malware, and ransomware are collectively the largest, most frequent and most successful threats. While technological safeguards have proven effective, they are not infallible. Non-IT humans often are the last line of defense and decisions made to click on a link or attachment, or whether to act upon a request to change payment instructions from a vendor, or whether to respond when the CFO requests you provide the bank accounts and routing numbers related to employee pay in PDF form, will determine what happens next. Sometimes it is a breach, other times a computer/system is held hostage, other times you send a $1,000,000 to a thief instead of a business partner, and sometimes employees detect the intrusion and appropriately pass along the threat so the organization becomes more organically educated. Alert, informed, and thoughtful employees are the last defense for attacks sophisticated enough to elude other safeguards. Again – educate, train, test, support.
In the spirit of the Marine Corps, may employees be always faithful to reducing mistakes and mindful of threats. Ooh rah.