Information Security: Employee Errors Put Data at Risk/Weakest Link Information Security: Employee Errors Put Data at Risk

  • "My favorite example of all time: You walk in and the clerk is asking you to fill out a form. You look at it and say, 'Why do you need my Social Security number?' and he says, 'Well, because it's on the form,'" Foley said. "If that's the only understanding your people have of what's on the form and why it's there, how can I walk away from your office thinking I'm safe and that you'll protect my information?"

    The ITRC offers training and consulting on breach mitigation to organizations. Linda Foley, co-founder of the center with her husband Jay, said she asks a set of typical questions to clients whose employees carry data on mobile equipment.

    "If the cause of the breach was the fact that someone had taken information home to work on and their laptop was stolen from the front seat of their car while they were in a gym: No. 1, why is the laptop not hidden? No. 2, why is it going home? No. 3, why is there personal identifying information, such as Social Security numbers, on that laptop?" she said.

    She said governments should get creative in protecting Social Security numbers that are stored in the office or can be accessed on the move. As an example, she cited anonymous studies in which participants are identified by randomly generated numbers.

    At the ITRC, even she doesn't have permission to see all types of information, and she's an executive there. "I don't have permission to see certain files, because I don't have a need to know. Checks and balances -- I don't need anyone's Social Security number for any purpose whatsoever; therefore, I should not ever see them."

    Photo: Kevin Mitnick, founder, Mitnick Security Consulting

    Kevin Mitnick, founder of Mitnick Security Consulting, said it all comes down to employee awareness and diligence. Sophisticated software may be what people think of when they want to secure against external breaches, but human error on the inside is a different kind of threat.

    "Technology, I don't think, can prevent some employee from faxing off something that's inappropriate," Mitnick said. "Technology could be used to encrypt information, but training people is not a technology problem. It's a people problem."


    Nightmare in the Breach

    In 2007, the Lynchburg, Va., government found out firsthand why it's important to assess information-management procedures. The (Lynchburg) News & Advance reported in June 2007 that the personal information of more than 1,000 municipal employees and retirees -- including birth dates and Social Security numbers -- was included in an Excel spreadsheet attached to an RFP posted to the procurement section of the city's Web site.

    The reason? Lynchburg wanted solicitations from third parties to provide pharmacy services, so it placed the RFP on its procurement page. One vendor asked the city for an extract of medical codes, which helped the vendor determine the city's usage of prescriptions. Lynchburg saw no problem providing this information but decided that if one vendor could see it, all of them should have access.

    The information was put in a spreadsheet and attached to the online RFP. The problem was that the spreadsheet also had the names of employees and retirees who filled prescriptions during that year under the city's previous pharmacy coverage, along with other personal information.

    According to Lynchburg Human Resources Director Margaret Schmitt, no city employees thoroughly examined the spreadsheet to omit the extraneous data, so when the affected employees and retirees Googled themselves, their personal information was included in the search results. Bad news for Lynchburg.

    "When Google looked at our site, it also went into attachments. It's something we found out after the fact -- that Google, when

Hilton Collins, Staff Writer Hilton Collins  | 

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.