Agencies should institute tougher policies on storing sensitive info

Featured eBooks
Cyber Workforce
Read Now

Law Enforcement Tech

Read Now

AI in the Workplace

Read Now
Insights & Reports
Document Automation & E-Signature for the Public Sector
Presented By Carahsoft
Download Now
By Jill R. Aitoro

By Jill R. Aitoro

|

Security officials say the policies could reduce the No. 1 cause of data loss: stolen laptops and storage devices.

Most data losses occur when employees forget to delete files on computers and storage devices, an oversight that requires federal agencies to create stricter policies against the download of sensitive information, network security officials said on Wednesday at a conference.

Up to 67 percent data loss incidents involve information that employees download on computers or storage devices for temporary use and then don't delete, said Peter McDonald, federal director for data loss prevention solutions at security vendor Symantec, referring findings reported by the telecommunications provider Verizon.

"Often, if I'm doing a project, I store data [on my computer] and forgot about it," said McDonald, who spoke during a session at the Digital Government Institute's Cyber Security Symposium. "In the environment that we're in today, that data is at risk" of being stolen, either as a result of physical theft of the computer or through a network intrusion that can occur when an employee remotely signs in from a wireless hot spot.

A number of high-profile data breaches have occurred at federal agencies in the past few years. In May 2006, an employee with the Veterans Affairs Department violated agency policy and took home a laptop with the Social Security numbers of 26.5 million veterans. The the laptop was stolen, and later recovered. In August 2007, the names and Social Security numbers of 3,000 Hawaiian postal employees were compromised when a laptop computer was stolen.

Every organization has had a leak, said Charles McGann, manager of corporate information security at the U.S. Postal Service. "If you think you haven't, think again," he said.

McGann referenced an incident in which a postmaster downloaded a copy of office employee records from the agency network onto his laptop. "Why is it there? In most instances, it's a matter of convenience," he said. But "We have 20,000 servers. There's no reason for you to store that information locally."

USPS now forbids employees from storing sensitive information on personal computers or devices, but "you're still depending on the employee [to comply] with the policy," McGann said. To make sure employees do this, the agency uses a tool that automatically detects and blocks sensitive data in motion and encrypts files. But, McGann warned, encryption "is not the be-all and end-all, because if the guy you gave access to is the weak link, it won't matter.

"Security awareness is your biggest weapon in the arsenal," he added. "If you don't store it, you won't lose it, and if you don't need it, don't store it."

NEXT STORY: NATO Wants to Go Virtual