Government entities remain vulnerable to insider threats

When it comes to protecting vital information and data, we expect the U.S. government to be at the top of its game. That’s not an unfair hope, or is it? Through policy and example, government is expected to lead the game in data protection and cyber security. They should ideally be someone to look up to, to analyze successful and not successful strategies and have a proactive mindset. Sadly, this sounds like a fairy tale world, and it’s not common news. Government entities, like the U.S. Postal Service, continue to remain vulnerable to cyber security and insider threats.

U.S. policies on insider threats & data security

The United States government has policies and orders in place that encourage federal entities that process national security information to remain compliant to set standards. These standards include October 2011’s Executive Order 13587, which clarifies:

“This order directs structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties. Agencies bear the primary responsibility for meeting these twin goals.”

Further, this policy also pushes to establish an “Insider Threat Task Force” that aims to “deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies.” This task force is comprised of Heads of State, Directors and other important figures that have high-status positions with great influence. The executive order is quite thorough, and it’s encouraged to review it at the White House Archives website.

Further, the National Insider Threat Policy explores the protection of classified data by:

“Establishing common expectations, institutionalizing executive branch best practices, and enabling flexible implementation across the executive branch.”

Further in this document, the policy mandates that a program for detecting and deterring insider threats to be established within 180 days, and to establish the capacity to monitor and analyze the information of insider threats and more. Basically, it’s very thorough and well thought. Though no policy is perfect, it’s a right step in the right direction. These policies were created in 2011, the question remains, are we seeing government entities following these procedures? Are they still vulnerable to insider threats?

You might’ve guessed the answer to this question. The answer is “yes,” they’re still vulnerable, and some government entities are not taking the serious incentives to put these policies in place effectively. This brings us to the recent case of the U.S. Postal Service, and its recent inspector’s general report.

U.S. Postal Service general ‘insider threat’ report

In a nutshell, the U.S Postal Service hasn’t done the full job of protecting against insider threats, and it hasn’t “fully implemented a federally mandated program designed to protect its computer systems from insider attacks.” The full audit report can be found at this link.

The purpose of the report is to do a thorough audit to see if the agency is meeting the standards of data protection from potential misuse of employees, third parties and others that have a connection to the network. Under the executive order, the agency U.S. Postal Service is mandated to have an insider threat program, while coordinating with a CISO executive on cyber security, information security and insider threat protections.

In the report, the U.S. Postal Service is pegged with not maintaining the standards set in these policies, and that there “were physical and security access breakdowns at facilities with national security information.” Many of the problems included:

• Discrepancies in four areas centered on the main requirements for an insider threat program
• Five contractors that had access to secured spaces at a facility that didn’t have proper security clearances
• Nonfunctioning closed-circuit TV cameras overlooking secured spaces

These were only a few of the logged problems, but the inspector general had important insider threat recommendations for the reformation period. These included:

• Fully implement an insider threat program that falls in line with the minimum standards
• CISO to establish an organization-wide insider threat program and training

Further recommendations

Many of the problems that were posed in the audit report can be easily maintained and fixed through various insider threat software services and analytics. The U.S. policy pushes to have an active system that’s monitoring and analyzing information and data from the system. Many services offer these abilities, that actively monitor and probe the system for anomalies that the management-user asked the software to look for. By creating a pattern of normal employee behavior through analytics, management can identify if contractors, remote staff or in-office staff are accessing information that’s not supposed to be accessed. One of the most important features on online monitoring is instant and tailored system alerts. Many times, anomalies go undetected for weeks, months and even years. By establishing a “normal” behavior profile and probing the system actively, management can turn the alert time from years to hours and days.

In addition to monitoring software, an insider threat program means nothing unless the staff understand the necessity, the functionality and the importance of the program. This is where training comes in, and it’s best to train employees thoroughly on policy standards, why it’s important to remain vigilant and the details of the program. The fun doesn’t stop there, employees and management need to be regularly reminded about cyber and data security best practices.

With the amount of technology and information that’s already on the world wide web, it’s hard to comprehend that government entities still struggle to remain compliant with policies and regulations put in place. We encourage that the U.S. Post Office audit and review described is a learning lesson for other public entities, small businesses and corporations to take insider threats seriously and use the tools indicated to eliminate the threat.