Experts say employee errors and a lack of basic awareness of security is not uncommon among enterprise end users, who, according to a recent data leakage audit of a Boston-based health care firm, can make costly mistakes far too often.
Often employees think someone at a higher level is taking care of their data security when in fact the employees are really a major part of the security processes.
founder and CEO SafeLight Security Advisors
Robert Cheyne, founder and CEO of SafeLight Security Advisors, a Providence, R.I.-based security training company, said end users are rarely engaged enough by enterprises to care about safeguarding company data.
"Often employees think someone at a higher level is taking care of their data security when in fact the employees are really a major part of the security processes," he said.
That problem was highlighted at a Boston-based health care firm, who underwent a two-week evaluation of its systems to find any potential violations of the Health Insurance Portability and Accountability Act (HIPAA) or other infringements of the Massachusetts privacy regulations (201 CMR 17). The firm who conducted the audit, Hudson, Mass.-based data security consultancy Networks Unlimited Inc., allowed a SearchSecurity.com reporter to attend the unveiling of the audit results last month on the promise that the health care firm and its executives would be kept anonymous.
Jason Spinosa, a senior security engineer at Networks Unlimited, said that some of the HIPAA violations they discovered showed that employees lacked sufficient training on security and privacy. In one instance, an employee sent via email their own personal data, including bank account information and Social Security numbers, to a mortgage broker. In another event, the software detected an employee who emailed their credit card details to a family member's AOL address. When the family member questioned the security of the message, the employee responded, "it's a good thing we're in health care; it's secure due to HIPAA."
"While on the surface this doesn't affect the company, the lapse in judgment shows that employees don't even know how to secure their own information, let alone the company's data," Spinosa said. "It also illustrates a problem where employees may be assuming that protections are in place when they aren't."
Since the unveiling of the audit, which detected unencrypted email messages containing patient information -- including Social Security numbers, insurance information, sensitive medical conditions and other personally identifiable information -- executives at the health care firm say they have taken steps to correct the problems.
The health care firm is rolling out Cisco Systems' IronPort email security appliances to identify sensitive information and automatically encrypt email messages. The firm's IT director said the company will start a security training program. In addition to the IT director, the health care firm has a compliance officer in place, but lacks a CISO or other dedicated security professional, a crucial component to a successful security education program, Cheyne said. A person with such authority would help ensure an education program is taken seriously and doesn't end up falling by the wayside, he said.
"It's got to be driven and sustained at a very high level or it's just not going to work," Cheyne said. "The person best suited to lead a sustained effort is typically a person in the organization with strong leadership skills."
User training helps those who want to be helped.
founderTrusted Learning Corp.
Security industry luminary Winn Schwartau, who founded and headed the Trusted Learning Corp. in 2003, said no security program is 100% effective. The aim of any program is to instill that security is extremely important to the organization and that employees play an important role in protecting data.
"User training helps those who want to be helped," Schwartau said. "Good security awareness programs that have been used in enterprises have been ineffective against good, well orchestrated social engineering attacks against specific organizations; nonetheless, I'm still a believer in it."
Schwartau said that ultimately the industry needs to provide security solutions that have implicit security models built into them, removing the responsibility from individuals, so they can do what they want to do while the necessary security happens behind the scenes.
In the case of the health care firm who was audited by Networks Unlimited, Spinosa said, they have a lot of training to do. Over the two-week monitoring period, the Websense Inc. data leakage prevention (DLP) software detected about 275 violations. Nearly all the errors came from email or Web-based traffic -- employees intentionally emailing sensitive patient data, believing the information was protected. There were more than 230 HIPAA violations, including more than 70 instances of Social Security number violations and nearly a dozen violations of the Payment Card Industry Data Security Standards (PCI DSS).
The traffic analysis also indicated that some employees were using non-company email systems for company communications. In addition, the assessment found serious problems with the health care organization's public website, which currently allows patients to submit their personal information via an unencrypted Web form.
"If the company thinks it can allow patients to submit their data without having encryption in place, what kind of message does this send to their employees?" Spinosa asked.
The unveiling of the data leakage assessment was met with some surprise by the health care firm's upper management. The company's compliance officer said that employees have been told that their email isn't secure and have been given implicit instructions to not send health care information over the Internet without using encryption. Employees are supposed to use the firm's system to encrypt sensitive messages to medical transcriptionists and doctors, but in some cases, employees balked at using it. Up until now, the health care firm has been distributing security awareness information via a monthly email newsletter.
But using a company newsletter to distribute security do's and don'ts is not very effective, Cheyne said. Employees don't want a Ten Commandments list. An important part of the education is explaining why security matters, he said.
"I've seen companies start from scratch and it takes 1 to 3 years of ongoing training before the security conscience is raised to an effective level," Cheyne said.
Marcus Ranum, chief security officer of Columbia, Md.-based Tenable Network Security, who wrote that educating users is one of the "six dumbest ideas in computer security," admits that organizations like this health care firm have to do some basic security awareness training. Enterprises need to come down hard on security policy violators, making them an example for the rest of the workforce, he said.
"We're always bringing new people into the high-tech workforce and people are creating high-tech security problems as fast as they can, so ultimately, [awareness training] is not going to be very effective," Ranum said.
Like Schwartau, Ranum said data leakage is more a failure of technology than of employee lack of awareness. New systems need to be built with security in mind so employees don't have to think about being secure. Employees that leak their own personal information are careless and could be a detriment to a company's entire business, Ranum said.
"The one thing I have observed is that stupid tends to cluster together," Ranum said. "If someone is doing something dumb with their own data, they're probably doing something dumb with your data."