By now, everyone involved in the world of cybersecurity understands the importance of sending and receiving data in a secure manner. Cybersecurity professionals will tell you that whenever you release files and they travel across systems over which you have no control, you must take certain steps to ensure the data is secure. For example, the file can be encrypted and digitally signed using advanced algorithms before being sent. Additionally, you can transmit the files across a secure channel using communication protocols such as AS2, SFTP FTPS, etc. This ensures that in the very rare situation that files would be intercepted, they are unreadable and therefore useless to the intercepting party. This process is often referred to as securing data “in-transit.”
Data “at-rest,” as the term implies, is data which is stored on a drive not currently in use or being transmitted. Due to its very nature, this is generally a relatively secure state. The storage device is buried in a machine housed internally behind multiple layers of security, network devices, etc. However, the data itself is still in a legible and accessible state from the other machines also behind these layers of cybersecurity. Additionally, these machines are still connected to the internet in some method and thereby potentially accessible by cyber thieves.
Today, the majority of data breaches are initiated by internal machines once thought to be highly secured. For example, a user unknowingly obtains a piece of malware from a website, opens an infected email attachment, or even knowingly accesses the data with malicious intent. These types of events happen many times a day, across organizations of all sizes, and located all around the world. Securing your data while at rest can make it useless to such a would-be threat.
Securing data at-rest (at least from a high level) seems like it can be done easily enough. You can encrypt the data using strong algorithms such as AES or RSA using various methods. The data can be encrypted through software or applications, and even via hardware itself. However, what happens when you need to access the data? How do you integrate these encryption methods with your third party applications and communication tools? This is where the idea of securing your data which has been or will be transmitted externally can become a daunting task….or does it?
Luckily, a solution does exist. You could deploy a managed file transfer solution which has a secure and encrypted datastore, such as bTrade’s TDXchange software. In fact, for many years bTrade’s cybersecurity experts have offered the ability to secure the data at-rest with the simple click of a box in the user interface. We can automatically encrypt all files sent and received over all aspects and areas of processing with virtually no impact to the user.
bTrade Can Help
It’s no longer enough to only secure your data while only in use or transit. To learn how bTrade can help you secure ALL aspects of your critical data, please contact us at firstname.lastname@example.org.
Also, you can stay current on developments in the world of cybersecurity by following bTrade on Twitter, Facebook, LinkedIn and Google+.
More Government Dysfunction When it Comes to Cybersecurity
In connection with the US federal government’s National Critical Infrastructure Security and Resilience Month (CISR Month), MFT Nation offered a “case study in what-not-to-do” concerning the cybersecurity misadventures of a key department of the White House. While writing this case study, we discovered that an additional US government agency—the Internal Revenue Service (IRS)—had some pretty bad cybersecurity practices as well. We want to share what we learned from a report recently released by the IRS auditor showing how lax the IRS is when it comes to protecting taxpayers’ personally identifiable information (PII).
Unencrypted Email Use Puts Taxpayer Information at Risk
The auditor’s report, entitled “Employees Sometimes Did Not Adhere to E-mail Policies Which Increased the Risk of Improper Disclosure of Taxpayer Information,” is based on a random sample of e-mails sent by 80 IRS employees in one division during a four week period in 2015. The IRS auditor found the following significant cybersecurity violations:
- Even though IRS policy requires employees to encrypt emails containing PII, about half of the 80 employees sent a total of 326 unencrypted e-mails that contained information about 8,031 different taxpayers internally to other IRS employees or externally to non-IRS email accounts.
- 14 of the offending e-mails were sent with taxpayer PII in the e-mail subject line (probably a taxpayer name and social security number), which cannot be encrypted and is expressly prohibited by IRS cybersecurity policies.
- Six employees sent 20 e-mails that “involved official IRS business” to personal e-mail accounts.
IRS Management Promises to Take Corrective Steps. But Will Management Stand By Its Promises?
IRS management promised to take corrective steps recommended by the auditor to establish a “systemic solution.” But soon after making such promises, IRS management also issued statements which attempted to downplay the significance of the cybersecurity violations. For example, one IRS manager claimed that most of the offending emails posed “minimal risk” because they were sent internally and therefore protected by the agency’s firewall. This type of response demonstrates an utter lack of understanding of cybersecurity best practices.
Most, if not all cybersecurity professionals/experts would tell the IRS that the best data security strategy involves several different security methods deployed in a layered manner. A layered approach reduces the likelihood that an attack will succeed by forcing the attacker to penetrate multiple security measures deployed at different layers of the network. In fact, government regulators have sanctioned private sector companies for failing to deploy and/or properly use a layered approach, reasoning that such tools could have eliminated or reduced the risk of a data compromise.
In addition, the attitude of the IRS manager is downright disturbing. When data is transmitted unencrypted, the risk is never “minimal.” Remember, not all the unencrypted emails were sent behind the firewall. Also remember that six IRS employees sent 20 e-mails that “involved official IRS business” to personal e-mail accounts. Remember as well that widespread violations were discovered based on a spot check of a very small sample size—only 80 employees in one division during a four week period in 2015. One can only imagine how many similar incidents the auditor would have discovered had he reviewed emails sent/received over the last couple years by all 80,000 IRS employees.
As for the unencrypted emails sent behind the firewall, government regulators have sanctioned private sector companies under similar circumstances reasoning that the “potential” for harm still exists. For example, take a look at all the documents filed in an administrative proceeding brought by the US Federal Trade Commission (FTC) against a company named LabMD. According to this document filed by LabMD, the FTC spent “millions of taxpayer dollars to destroy a small, innovative cancer detection laboratory” even though no evidence existed that any consumer was harmed by the alleged cybersecurity violations. One blog described the LabMD saga as “the story of how one simple breach of a single rule by a single employee sank a $4 million per year company.”
The same should apply for government agencies like the IRS and its employees; there must be consequences for bad cybersecurity practices. While the IRS has penalties—ranging from a warning to removal—for employees that put taxpayer information in unencrypted e-mails, there “was no evidence provided” to the auditor that any penalties were enforced. In other words, no employee will be disciplined for violating crucial cybersecurity policies. Nor was any IRS manager disciplined; although IRS management did promise to send a meaningless e-mail to all managers stressing the “importance of managerial awareness.” Yeah, like that’s really going to trigger any real change in behavior. To effect real change in the IRS cybersecurity culture, there must be consequences for such blatant disregard for vital cybersecurity policies.
The Awkward Truth About US Federal Government Cybersecurity Practices
“Unprotected e-mails put taxpayers at risk of identity theft, or inappropriate disclosure of information about their identity and tax returns,” according to the auditor’s report. This incident reveals an awkward truth for an agency that is required to protect taxpayer information. Yet to our surprise and dismay, very few people or media sources are reporting about this very serious problem. Why is that? I think we all know the answer.
Stay tuned for further developments regarding the IRS cybersecurity audit (we understand other cybersecurity audit reports exist). In between MFT Nation posts, you can stay current on developments in the world of cybersecurity by following bTrade on Twitter, Facebook, LinkedIn and Google+.