What We Can Learn from the FDIC
The Federal Deposit Insurance Corporation (FDIC) has been under intense scrutiny this year, resulting from the lack of an effective security program. There have been multiple audits conducted by the Office of the Inspector General (OIG), as well as a Congressional Investigation performed by the House Science, Space, and Technology Committee. These investigations were deemed necessary after multiple major incidents involving the unauthorized release of sensitive information. According to the OIG report from July 2016, there were seven major incidents that occurred between the months of February and May of this year. While all of the identified threats are extremely important and need to be addressed, this post solely focuses on major security incidents caused by FDIC employees.
Let’s walk through one of the major security breaches that occurred in Florida, October 2015. In this incident, an FDIC employee copied Personally Identifiable Information (PII) onto a portable storage device. In total, this was a breach that affected over 40,000 individuals and 30,000 banks/other entities. Over 100,000 files were downloaded and stored onto the device, and the employee labeled the data with bank names, data types, etc. The FDIC found out about the breach about a week later, and referred the matter to the OIG. However, it is important to note that the FDIC did not recover the device from the individual until 2 months later, and did not report the incident to Congress (as mandated by FISMA) until instructed to do so by FDIC OIG.
The other breaches were similar in nature. They typically involved an FDIC employee downloading sensitive information onto a portable storage device, and taking that information prior to ending their employment with the FDIC.
So why are so many employees able to take sensitive information, download it onto a personal device (i.e. a USB drive), and walk out of the building? Ultimately, it comes down to the lack of an Insider Threat program. While the FDIC made initial plans to develop such a program, these stalled in 2015, and have yet to be put in place.
Factors Leading to Security Breaches
– Some of the former employees had an extensive history of incidents which escalated to the level of a security risk, yet nothing was done
– FDIC’s data breach policies did not address major incidents
– Lack of resources (e.g. human capital to analyze potential breaches identified by the data loss prevention tool)
– Lack of management buy-in (and in some cases, direct instructions from management not to report major incidents)
– Lack of transparency throughout the organization
Both the OIG and the House Committee concluded in their findings that an Insider Threat program would have prevented, or at the very least, mitigated the major security incidents at the FDIC. The following are key components of DGS’ Insider Threat program. By implementing a program that encompasses these four elements, you will be well on your way to ensuring that your organization is secure from internal threats.
Everything Starts at the Top: As is true with all new policies and programs, if senior management is not 100% on board, nothing will change. C-level positions, not just the IT or security guys, should constantly be aware of the organization’s vulnerabilities and potential risks.
Hold Everyone Accountable: Once the Insider Threat program is implemented, a designee or committee should be appointed to ensure that the program is implemented into the culture of the organization. All information and computing resources must be assigned to an owner who is responsible for classifying and ensuring proper handling throughout the lifecycle. Everyone must be held accountable – appropriate and inappropriate behaviors need to be spelled out and standards must be uniformly enforced for everyone, no exceptions.
Update Access Controls: Many of the breaches at the FDIC were the result of employees having access to information they weren’t supposed to have. It is a good practice to review all accounts every quarter (at the minimum) and remove any that are obsolete. Whenever an employee changes roles, re-assess their access privileges. Finally, and perhaps most importantly, disable accounts immediately upon termination.
Communication is Key: All insiders should be required to formally acknowledge their responsibilities by signing the organization’s Acceptable Use policy. Policies and processes should be clearly communicated to all staff, and at a minimum, annual security awareness training should be mandated. Processes for identifying and monitoring high risk situations should be established, and notification to senior leadership of these situations must be quickly and clearly communicated.
The FDIC is only one of the many organizations suffering because of a lack of an Insider Threat program. While the above mentioned components are by no means all inclusive, they are instrumental in assuring that the policies and procedures put into place are effective and prevent the loss of sensitive data.
Dependable Global Solutions (DGS) has extensive past and current performance with Insider Threat (InT) Program development and execution. DGS staff possess well over 100 years combined senior and senior executive experience with InT, Counterintelligence (CI), Anti-Terrorism/Force Protection (AT/FP), Law Enforcement (LE), and Multi-Disciplinary Threat Analysis and Warning Center experience. DGS offers career professionals, who during their careers played a role in conceptualization and establishment of the discipline now called “Insider Threat”, since the beginning. We provide the expertise and experience to help organizations create their own Insider Threat program including gathering requirements, developing vulnerability reports, creating and implementing a concept of operations, and providing training, awareness, and support.
If you have any questions or comments regarding this post, or would like more information on developing an Insider Threat program, feel free to contact us at firstname.lastname@example.org.