When it comes to protecting vital information and data, we expect the U.S. government to be at the top of its game. That\u2019s not an unfair hope, or is it? Through policy and example, government is expected to lead the game in data protection and cyber security. They should ideally be someone to look up to, to analyze successful and not successful strategies and have a proactive mindset. Sadly, this sounds like a fairy tale world, and it\u2019s not common news. Government entities, like the U.S. Postal Service, continue to remain vulnerable to cyber security and insider threats.U.S. policies on insider threats & data securityThe United States government has policies and orders in place that encourage federal entities that process national security information to remain compliant to set standards. These standards include October 2011\u2019s Executive Order 13587, which clarifies:\u201cThis order directs structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties. Agencies bear the primary responsibility for meeting these twin goals.\u201dFurther, this policy also pushes to establish an \u201cInsider Threat Task Force\u201d that aims to \u201cdeterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies.\u201d This task force is comprised of Heads of State, Directors and other important figures that have high-status positions with great influence. The executive order is quite thorough, and it\u2019s encouraged to review it at the White House Archives website.Further, the National Insider Threat Policy explores the protection of classified data by:\u201cEstablishing common expectations, institutionalizing executive branch best practices, and enabling flexible implementation across the executive branch.\u201dFurther in this document, the policy mandates that a program for detecting and deterring insider threats to be established within 180 days, and to establish the capacity to monitor and analyze the information of insider threats and more. Basically, it\u2019s very thorough and well thought. Though no policy is perfect, it\u2019s a right step in the right direction. These policies were created in 2011, the question remains, are we seeing government entities following these procedures? Are they still vulnerable to insider threats?You might\u2019ve guessed the answer to this question. The answer is \u201cyes,\u201d they\u2019re still vulnerable, and some government entities are not taking the serious incentives to put these policies in place effectively. This brings us to the recent case of the U.S. Postal Service, and its recent inspector\u2019s general report.U.S. Postal Service general \u2018insider threat\u2019 reportIn a nutshell, the U.S Postal Service hasn\u2019t done the full job of protecting against insider threats, and it hasn\u2019t \u201cfully implemented a federally mandated program designed to protect its computer systems from insider attacks.\u201d The full audit report can be found at this link.The purpose of the report is to do a thorough audit to see if the agency is meeting the standards of data protection from potential misuse of employees, third parties and others that have a connection to the network. Under the executive order, the agency U.S. Postal Service is mandated to have an insider threat program, while coordinating with a CISO executive on cyber security, information security and insider threat protections.In the report, the U.S. Postal Service is pegged with not maintaining the standards set in these policies, and that there \u201cwere physical and security access breakdowns at facilities with national security information.\u201d Many of the problems included:Discrepancies in four areas centered on the main requirements for an insider threat programFive contractors that had access to secured spaces at a facility that didn\u2019t have proper security clearancesNonfunctioning closed-circuit TV cameras overlooking secured spacesThese were only a few of the logged problems, but the inspector general had important insider threat recommendations for the reformation period. These included:Fully implement an insider threat program that falls in line with the minimum standardsCISO to establish an organization-wide insider threat program and trainingFurther recommendationsMany of the problems that were posed in the audit report can be easily maintained and fixed through various insider threat software services and analytics. The U.S. policy pushes to have an active system that\u2019s monitoring and analyzing information and data from the system. Many services offer these abilities, that actively monitor and probe the system for anomalies that the management-user asked the software to look for. By creating a pattern of normal employee behavior through analytics, management can identify if contractors, remote staff or in-office staff are accessing information that\u2019s not supposed to be accessed. One of the most important features on online monitoring is instant and tailored system alerts. Many times, anomalies go undetected for weeks, months and even years. By establishing a \u201cnormal\u201d behavior profile and probing the system actively, management can turn the alert time from years to hours and days.In addition to monitoring software, an insider threat program means nothing unless the staff understand the necessity, the functionality and the importance of the program. This is where training comes in, and it\u2019s best to train employees thoroughly on policy standards, why it\u2019s important to remain vigilant and the details of the program. The fun doesn\u2019t stop there, employees and management need to be regularly reminded about cyber and data security best practices.With the amount of technology and information that\u2019s already on the world wide web, it\u2019s hard to comprehend that government entities still struggle to remain compliant with policies and regulations put in place. We encourage that the U.S. Post Office audit and review described is a learning lesson for other public entities, small businesses and corporations to take insider threats seriously and use the tools indicated to eliminate the threat.