Public-sector data breaches occur for all sorts of reasons, but in the federal space, a major culprit seems to be employees' unsafe file transfer and security methods -- and that employees oftentimes don't even know what the policies are.
In April, MeriTalk, a government IT provider and network, and software company Axway teamed up to survey 200 federal IT workers to gauge file transfer practices and concerns. Results were released May 10 in the report, Why Encrypt? Federal File Transfer Report.
Eighty percent of respondents felt their agencies had adequate policies in place to guide secure file transfer, but only 58 percent said employees were aware of them, and 43 percent -- less than half -- said that employees consistently followed them.
They also often use file transfer methods considered unsafe. According to the data:
o 54 percent don't monitor file transfer protocol (FTP) usage;
o 66 percent use tapes, CDs, USB drives, DVDs and other media to transfer files;
o 60 percent use FTP; and
o 52 percent e-mail work through personal accounts like Gmail and Yahoo.
Taher Elgamal, Axway's chief security officer, said that in a lot of cases employees use risky means to convey data because they have to get things done quickly. When the corporate network or e-mail is down or experiencing problems, people have to use other means.
"You've got to get it done. And if your mail system blocks it because it's too big or you can't find where the FTP server is, you've just got to find a way to do it," he said. "You're going to put it on a DVD and ship it by courier or you're going to run your own FTP server and your own queue and let people point to it. You're going to find a Yahoo e-mail account or a Gmail account and you're going to send it through."
Seventy-one percent said they were concerned with the federal government's current file transfer security, while 42 percent said they'd taken all the necessary steps to ensure secure transfer.
Elgamal said the government most likely has enough money to spend whatever needs to be spent on security, and that the real reason behind lax procedures and lack of knowledge is less education about policies and not using the right security tools.
"There's enough budget for security in government," he said. "Every agency in the government has enough people that understand the value of the data, and it's a matter of empowerment."
Sixty-four percent of agencies surveyed said they weren't currently discussing file transfer practices.