Thursday, August 01, 2013
SEC data leak highlights insider threats
Secure File Transfer
In recent years, organizations of all kinds have become increasingly aware of the importance of protecting internal data from loss, theft and exposure. Data breaches have caused tremendous damage to firms of every size and sector, from private businesses to nonprofit agencies and beyond. These organizations have suffered financially, both directly and indirectly, and have seen their reputations greatly tarnished by such data protection failures.
Yet for all of the progress made in this area, organizations are still coming up short when it comes to protecting their clients, and their employees, from these threats. In particular, many firms have failed to develop strategies and implement tools that can adequately counter employees' tendencies to engage in risky data-handling strategies.
This vulnerability was recently highlighted by a data breach at the Securities and Exchange Commission (SEC), in which an inadvertent insider had exposed sensitive employee data, The Hill reported.
According to the news source, a letter from Thomas Bayer, SEC's chief information officer and senior agency official on privacy, revealed that SEC employee data had been found on another federal agency's network.
"We deeply regret this occurrence and apologize for any inconvenience this incident may cause," Bayer wrote, according to the news source. "Please be assured that the SEC is committed to protecting the information with which we are entrusted."
However, despite this assurance, the incident indicates that more effective policies and tools may be needed to ensure employees' sensitive data remains protected. According to the letter, a former SEC employee "inadvertently and unknowingly" downloaded a variety of personal information on a thumb drive and eventually uploaded this data to the other agency's network. Nearly a year passed before this breach was discovered. It is not known how many employees had their personal information exposed, according to The Hill.
"What if he'd gone to the private sector? What if he'd dropped that thumb drive somewhere, with mine, and I'm assuming quite a few other people's, personal information?" asked Hester Peirce, a former SEC employee who was informed of the breach, The Hill reported. "Human error is something we really have to worry about."
Peirce's concerns do not apply solely to the SEC. Every organization has a responsibility to protect its employees' data from security threats, and this includes other workers. As this incident highlighted, without proper training and adequate alternatives, employees will resort to insecure practices that can put all kinds of information at risk of loss, theft or exposure. The use of a thumb drive and inadvertent transfer of employee data highlights this danger.
To avoid incidents of this kind, firms of all kinds should make easy-to-use secure file transfer solutions available to all relevant employees. By giving workers the tools they need to move sensitive information without the risk of a breach occurring, and then training these personnel to leverage these solutions, firms can greatly reduce the risk of experiencing a breach.