A recent data leak at the FDIC provides a cautionary tale about the risks removable media creates for data security.
Friday, February 26 was an FDIC employee’s last day at the agency. As she packed up her office, she downloaded what she thought were her own personal files such as family photos onto a USB drive. Unfortunately, she also accidentally downloaded the personally identifiable information (PII) of 44,000 bank customers.
By Monday, March 1, the IT team at the FDIC had detected the breach, contacted the employee, and promptly retrieved the disk. As far as anyone can tell, the data never reached the black market and it would appear the incident was nothing more than a close call and a cautionary tale.
The FDIC did several things right in this case. They had already implemented data loss protection software that was able to detect the data leak automatically. When that software alerted the data security team to the breach, they acted quickly.
There’s a question, though, whether the employee should have been able to download the data to a USB drive in the first place. Removable media such as USB drives and data sticks account for a high percentage of data breaches. The American Dental Association in fact inadvertently distributed USB drives infected with malware to its members late last year, potentially compromising millions of protected health records (PHI).
At some financial institutions, computers have their USB ports disabled specifically to prevent this type of breach. That’s a prudent precaution but it doesn’t address the risk of employees illicitly accessing confidential data in other ways and jeopardizing an organization’s data security.
Public Clouds: The New Data Transfer Technology of Choice
Instead of transferring data with a device such as a USB drive, employees can simply copy files to a public cloud file storage service like Dropbox, Google Drive or Evernote. Once the files are uploaded, the service automatically copies them to all the devices linked to the user’s account. Within seconds, files are duplicated—possibly across dozens or hundreds of devices if folders have been shared with other users—without any need for removable media.
Public-cloud file sharing creates a critical challenge for any organization concerned about preventing or discouraging the unauthorized distribution of confidential files. Not only is it easy for employees to copy files carelessly or maliciously to public cloud services, most organizations have no idea how many or which cloud services their employees are accessing. A study by Cisco found that while CIOs typically estimate that their organizations are running on average about 50 cloud services, the real number of active cloud services is closer to 730. Most of these cloud services operate as “shadow IT,” meaning outside the scrutiny of the IT department. IT administrators cannot monitor these services since they don’t know they are in use.
IT organizations could try blocking all cloud-based file-sharing, but most would acknowledge that at least some of the time employees are copying files for legitimate, work-related reasons. For example, the typical mobile worker today is carrying three mobile devices: a laptop, a tablet, and a smartphone. For an employee to be productive, all these devices need access to files an employee is working with. Syncing files through a cloud service makes file access automatic and helps ensure that employees always have the latest copies of the files they need, regardless of where they happen to be working.
But the productivity benefits of file sync and share services do not eliminate the security risks inherent with those services, especially for organizations like the FDIC that handle lots of PII. Unauthorized sharing of PII can take many forms: employees might misconfigure permissions, making content available to unauthorized users, or employees might forget that they have shared a folder in which confidential information has been recently added. For many public cloud file-sharing services, there is no administrative control for tracking, monitoring, or curtailing the distribution of files. Confidential content might be leaked routinely for weeks or months before the IT department discovers that a problem exists.
Making Cloud-based File Sharing Secure with kiteworks
To give employees a convenient file sync and share service that boosts productivity but also protects confidential data such as PII, organizations should deploy a solution like kiteworks by Accellion. kiteworks is a secure content management platform that allows users to access, edit, share and collaborate on files stored across an enterprise, from any location, using any device.
With kiteworks, employee productivity is significantly enhanced and organizations are enabled to meet the highest standards for data security, data governance and regulatory compliance. For example, secure containers within kiteworks protect content from unauthorized access by other applications or malware. Employees get access to the data they need, while ensuring that confidential data remains safe and continuously under the control of the IT department.
To ensure that employees have secure, convenient access to all the files they need, kiteworks provides Enterprise Content Connectors that create secure, fully integrated connections to leading Enterprise Content Management (ECM) platforms such as EMC Documentum and Microsoft SharePoint. The platform also provides connectors for public cloud services such as Box, Dropbox, and Google Drive. Files from all these sources are presented in a single, consistent, and mobile-friendly user interface. Whether employees are using SharePoint, Google Drive, or Dropbox, kiteworks monitors file activity and enforces the security controls required by organizations in financial services, healthcare, and other highly regulated industries.
The kitworks platform also integrates with data loss protection (DLP) solutions, enabling enterprises to enforce existing DLP policies automatically for all employee devices.
Recommendations for Protecting PII and Other Confidential Data
To protect against data leaks involving removable devices like USB drives or the careless copying of files to cloud services, enterprises should do the following:
To learn more about kiteworks, please contact us.