By George Khalil.
Cybercrime has become a focal point of national security and a frequent topic in discussions of risk management. News about major corporate and government breaches affirms that no organization or public agency is immune to a persistent, skilled attacker. Critical infrastructure is also increasingly becoming an attractive target for criminals due to its growing reliance on technology.
Why Are Criminals Targeting Sensitive Data?
Adapting and responding to evolving cyber threats and protecting critical infrastructure and proprietary business assets are essential for both government agencies and businesses. “Post-mortem” analyses of breaches offer a treasure trove of lessons learned and reveal attack tactics, techniques and procedures.
Cyber criminals leverage technology vulnerabilities and trickery to exploit the human-technology gap — by targeting sensitive passwords, data and applications regularly used by staff. Data theft is the goal of most recent breaches. Cyber criminals typically break into vulnerable systems and pivot between systems using stolen credentials or posing as a third-party contractor to gain access to valuable data.
Targeted confidential data comprises personnel records, public billing information, credit card numbers, financial or health records and more. The theft of your city’s legally protected data can result in significant regulatory fines, loss of public trust and damage to the city’s reputation.
Fortune.com estimates that in 2016, the cost of data breaches averaged $4 million dollars or $158 per record. Medical history, credit card data and Social Security numbers have the highest cost per stolen record at $355.
Sensitive Data Risk Management
Data is the new currency. Traditional currency and property risk-management techniques also apply to protecting against cybercrime. Regulated or sensitive data has monetary value and makes an attractive target for cybercriminals. Reducing the amount of regulated data stored on hand is equivalent to cash management practices, such as moving excess cash from registers to a hardened safe or transporting it to a bank’s vault. Unrestricted and unmonitored employee access to a large amount of cash is typically prohibited; however, public agencies often fail to apply the same level of scrutiny for employee access to regulated or sensitive data.
Eliminate Unnecessary Sensitive Data
Removing and reducing the amount of unnecessary sensitive data offer the best protection against data loss. An attacker cannot compromise records that simply don’t exist.
Retaining and storing sensitive data increase the agency’s liability in the event of a breach. Unfortunately, many organizations have stale worksheets and other files containing sensitive or regulated data that may have been overlooked or forgotten. Such files may contain sensitive information such as Social Security numbers, birthdates and other personally identifiable information (PII).
“Unnecessary duplicate copies of records and those kept past the time specified by agency retention policies — with or without sensitive information — are avoidable pitfalls,” says Colleen Nicol, city clerk for the City of Riverside. “Although it’s not glamorous work and admittedly time-consuming, designating sufficient resources and giving high priority to cleanup and ongoing file maintenance greatly reduces risk for the agency.”
Having employees manually review large numbers of files for potential PII is daunting and labor intensive. Data classification and loss prevention products help facilitate automated discovery, classification and remediation of sensitive and regulated data.
Such automated discovery tools may run overnight or for a period of a few months, depending on how much data your agency retains. The initial discovery process often highlights aged and unmaintained data as well as extensive duplication of data. For example, employees typically save multiple versions of reports, sensitive documents and billing information on their local systems and in email or shared network drives.
Automated data loss prevention tools also reveal risky business processes. Cities can take this opportunity to:
- Involve employees and ask them to review the reasons for storing such data;
- Help employees better understand records retention policies; and
- Make the appropriate business process changes to store data in a secured system of record such as a financial system, rather than in offshoot spreadsheets and reports. This will help ensure better data cleanup and elimination of duplicate data.
Secure applications can be designated as authorized containers for regulated data to address encryption, authentication and auditing requirements.
Create Safe Zones for Sensitive Data
After data cleanup and hygiene techniques are in place, there are several ways to better secure remaining sensitive data. Such data should be encrypted and only designated individuals allowed to access it. This role-based access should be supplemented with audit logs, similar to the restrictive nature of modern-day electronic safes and bank vaults with auditing capabilities.
Encrypting sensitive data when it’s being transmitted or in transit is another important way to protect it. This is the equivalent of an armored transport vehicle that protects valuables traveling between safe locations. Much like fire, earthquake, auto or professional liability insurance, cyber liability insurance provides protection against the remaining risk that cannot be addressed through other risk mitigation techniques.
Cities should also monitor sensitive data throughout its lifecycle within the organization. Technology solutions can enforce encryption or prevent the data from leaving the agency. Encryption technology protects the data if a device is stolen, effectively reducing the value of the loss to the cost of the stolen hardware.
Prevent the Release of Sensitive Data
To detect and prevent the release of sensitive data, implement business process oversight protocols and automated tools. Sensitive data stored outside the designated systems can be compromised due to employee oversight, missed or inadvertently omitted as a part of a larger dataset — or stolen.
The sheer volume of data in the average public agency environment — combined with the lack of visibility and classification of regulated data — is bound to result in a breach. Numerous examples illustrate this. For example, in response to a public records request, Poway Unified School District in 2016 released to one parent the records of 36,000 students, including district-based test scores, some of which are protected information under the Family Educational Rights and Privacy Act. The University of California, Santa Cruz, suffered a breach in 2017 when thieves stole two laptop computers with unencrypted, regulated data. And in another instance, in 2017, a Boeing employee asked his spouse to help him with a spreadsheet formatting issue. The employee sent the spreadsheet file from work to his spouse and did not realize that the document contained hidden columns with over 35,000 employee records, including Social Security numbers and dates of birth. Although this event did not happen in a public agency setting, it nevertheless underscores the ease with which such lapses can occur.
Technology solution products can intercept such data before it is accidentally emailed to someone outside the organization.
Classify, Discover, Monitor and Protect Sensitive Data
Most data breaches involve exposure of sensitive data outside designated secure zones or authorized systems. It’s not unusual for public agencies to find unencrypted sensitive data on employees’ laptop and desktop computers, shared network drives and removable media, such as thumb drives.
Cities should treat data in the same manner as cash. Regulated data should be identified, classified, appropriately marked and encrypted on all systems throughout the agency. The movement of regulated data must be monitored and prevented from leaving designated systems to prevent accidental release or theft. Data loss prevention scans should be performed on all records before release to identify any regulated data that should have been redacted within a larger data set request. Encrypting stored data within protected systems and on users’ computers and removable media protects agencies against equipment theft.
No amount of funding or technology tools can prevent all data breaches. However, cities can significantly reduce the risk of data breaches by raising employee awareness through cybersecurity awareness and data hygiene training, creating strong policies around PII data, scanning and removing outdated and duplicate data and implementing protocols to
prevent data from leaving the agency.
George Khalil is information security officer for the City of Riverside and can be reached at GKhalil@riversideca.gov.