Our Public Sector Data Security Discussion
Joe Maglitta: You're listening to the Verizon Insights podcast. The thoughts and opinions expressed in this podcast are those of the individual speakers and do not necessarily reflect the views of Verizon or any other entity mentioned in the podcast.
Joe Maglitta: Hello everyone, I'm Joe Maglitta, principal at Maglitta Communications, former vice president of the Market Experts Group at Ziff Davis Enterprise, and a contributing editor for CIO Magazine. Joining us today is Bryan Sartin, Executive Director of Verizon Global Security Services. In the next few minutes we'll highlight findings from the Verizon 2016 Data Breach Investigations Report and offer some ways to better protect your organization. The 2016 report covers over 100,000 incidents, and 2,260 analyzed breaches from 82 countries. Bryan, welcome.
Bryan Sartin: Good morning, Joe, thank you.
Joe Maglitta: So let's get down to it. What are some of the headlines from this year's report, Bryan?
Bryan Sartin: It's our ninth report and every year we try to take a little bit of a different slice at the threat landscape. There's no question about the role of spear phishing and how that is playing a big part especially on the initial intrusions of most types of cyber attacks these days. The use of malware in conjunction with phishing is starting to really illustrate to us that humans are now the slowest in the herd, if you will, from a vulnerability perspective. In other words, people are the easiest targets in a cyber attack. So, we talk a lot about that and really lay out the science on what that means today, and, of course, what to do about it. But for real statisticians and data gurus, we have the use of the attack this year. In this case you can start to look at the total dataset, hundreds of thousands of incidents, more than 2,000 confirmed data breaches. And we found a scientific way to boil those down to a series of playbooks, if you will, meaning the sequential sets of moves from pre attack research to initial point of intrusion to identifying targets of interest within the victim's enterprise to finding ways to exfiltrate that data, subsequent points of entry, and so forth. And we have a brilliant visual method of illustrating those in true color. And it's fantastic. I hope our readers have as much fun reading as we did putting it together.
Joe Maglitta: Now that we've got a good general overview of things, let's bring in Jessica Hill, Verizon's Manager of Professional Services for Public Sector. Jessica welcome.
Jessica Hill: Thank you, good to be here.
Joe Maglitta: So, we're going to use a tag team approach. Bryan Sartin will highlight the top challenges in public sector. And then Jessica will suggest some ways to counter this year's most pressing threats. So Bryan, as we look at the data, the public sector came under pretty heavy attack in terms of the numbers.
Brian: Well yeah, first, did it really come under heavy attack? And unquestionably yes. Everyone should understand that we have more incidents for the public sector than we do any other victim sector. We're looking at just a little under 50,000 security incidents reported in this past year from the public sector alone. So we have a lot to say about what is, but also what is not happening in that sector as it compares to other sectors from affected defensive countermeasure strategy. And you see miscellaneous errors up there in excess of 20 percent, almost 25 percent. That's mistakes, errors and omissions on the part of the victims that are setting the stage for these types of attacks. Misuse, abuse of privileges, where employees, business partners, vendors, what have you, are explicitly misusing their privileges and their access for some form of unauthorized access or some type of data theft. Loss or stolen assets of course are up there pretty high in this sector as well as a few others. But also crimeware plays a very significant role in the public sector. Actually bigger than it does in any of the top ten sectors. So a very different threat pattern than you see in other sectors. And important to understand why it's different.
Joe Maglitta: How much of that is due to an actual increase in activity, and how much of that is result of reporting requirements, particularly by the U.S. government agencies?
Bryan Sartin: Well, it's a byproduct of contribution to our study. So we have, of course, public sector entities as entities in many states and other jurisdictions across the globe, and in certain sectors are required to disclose in some way, shape, or form, indications of security breach or especially data breaches that they experience within their enterprise or government agency. No question that's happening to a great deal within the U.S. agencies. So there's more reporting.
Joe Maglitta: Jessica Hill, we have got an unprecedented number of internal and external attackers. I know there's no easy answer to this given the huge diversity of federal, state and local government capabilities and all the actors out there. What’s the recommendation here?
Jessica Hill: Yeah, thank you. If you look at what types of breaches are happening, you see a lot of internal mistakes. There's some malicious activity happening, as well as some blatant accidents. And while the intent there is different, some of the ways you can mitigate are the same. So if you look at USB usage for example, lots of sensitive data is being removed and misplaced on USB drives. That can be controlled. There could be policies and procedures in place to limit the use of USB's and removing data. Also implementing a data loss prevention or DLP software greatly assists in limiting the amount of sensitive data that's transversed by e-mail. Those kind of policies really limit both malicious and inadvertent breaches. One of the trends you see in government is that the CIO level of management changes out about every two years, which is even shorter than the average CIO term in the private sector. And what you see there is a lot of confusion, there are policies that are adopted and then abandoned or maybe... policies that aren't totally understood or aren't implemented correctly when a new regime comes into power. So, when you look at the broader policies that need to be in place, and need to be effectively implemented, there really needs to be a lot of control over what data is out there, where and how is it stored, is it sensitive, who has access to it, and how do we dispose of it.
Joe Maglitta: Jessica, one of the most dramatic numbers that jumped out from the report was the number of mistakes made by people mailing or e-mailing information to the wrong recipient. That seems so human and so common. We've all done it.
Jessica Hill: The difference is when you're talking about the public sector, we're talking about very sensitive data that covers every U.S. citizen, potentially national security. Those kind of mistakes have big consequences. Just as in other sectors, you really want to limit the use of paper data. You don't want things lying around that are sensitive or potentially unsecured. I think that the usage of data loss prevention software helps lock down the e-mail capabilities to make sure that files are scanned, sensitive information is prevented from just being inadvertently sent out to the wrong recipient. So a few more points to consider is really understanding your data, understanding whether it's classified data, sensitive data, contains user records, financial records, citizen data or national and public security kinds of data. Knowing where that is in your network, who has access to it, how you protect it, and even more importantly how you dispose of that kind of data is really critical for the agencies to know, implement, and keep very strict policies around. I think that it really isn't an issue of if a breach is going to happen, but when it's going to happen, how do you mitigate it, how do you detect it? And then how do you make sure that the impact is minimal? The government is under everybody's scrutiny to make sure that they're protecting the citizens, they're protecting the borders, and any breach is seen as important and worrisome. So the government has probably the biggest mandate to ensure that all the data that they have is secure and any breach that happens is understood quickly and mitigated immediately.
Joe Maglitta: That's about all we have time for. Thanks to our guests, Bryan Sartin, Executive Director of Verizon Global Security Services. And to Jessica Hill, Verizon's Manager of Professional Services for the Public Sector. And of course thanks to you, our listeners for joining us today. To get your copy of the Verizon 2016 Data Breach Investigations Report, visit VerizonEnterprise.com/DBIR2016. That's VerizonEnterprise.com/DBIR2016. As always, find us on Twitter @VZEnterprise, or on LinkedIn. Have a great rest of your day.