I think this is a lesson that our three letter agencies need to wrap their heads around over a cup of coffee. It isn’t an easy answer really because if you prevent a breach there is no event, it is business as usual, but if you catch the employee that caused the breach you will likely get rewarded for a job well done. However, from an organizational perspective, the entire point of security over information is to keep it securely contained.
With the massive number of leaks coming out of Washington and particularly intelligence agencies and the State Department you’d think there would be a massive effort to use something like Varonis (information access and tracking company) to prevent the breach. But, this week, we had yet another young person destroy their career and lose their freedom as a result of a bad decision to leak a confidential document to the media. An act that could have been easily prevented and was easily caught after the fact, making me wonder if somewhere our priorities got flipped.
I think that in many companies priorities are flipped, and that is why I’m asking this week whether it is more important to stop a breach than catch the soon-to-be-unemployable imprisoned young employee that made this career ending mistake.
At the heart of this latest breach was a document a contractor who had security clearance and was able to print and distribute intact. What got her caught is that the document was obviously printed and scanned, which means any electronic tracking was removed from it. Had either she or the news organization simply scanned, done character recognition, and then digitized the result so it was no longer an image file the ability to connect it back to a printer would have been lost.
But the real question is: why are people allowed to print classified documents without separate individual authorization anyway?
However, often the approving manager or employee does the approval as a chore they want to get out of and so they may do stupid things like blanket approvals, or just rubber stamp any request that comes through, which actually makes the problem worse. This is because, if there is a breach, this approver is more likely to hinder the related investigation than help it because their career is suddenly on the line.
Better is to both prevent printing of certain classes of documents and alert the document owner when any confidential document is printed on top of requiring an approval from an independent third party before the printing process is started. There really is nothing you can do to a printed document you can’t do to one that is rendered electronically except easily breach security.
In addition, a failed attempt to print a classified document should immediately be flagged. Often, we only flag if security is breached, not if someone is simply making the attempt. It is a common practice for anyone attempting to make IP theft to first try the easy path largely because, just as often, the document isn’t properly secured and then try escalation later. But if you flag on the attempt and investigate you’ll have a better chance of preventing the breach in the first place.
Wrapping Up: Prevention Over Blame
As I look at this event I’m left with one big question: Is the focus of the policies at government agencies, or companies in general, prevention or blame? Tracking without real time alerting clearly has a focus on catching people after a breach and much of our legal system is based on this approach. That’s why we have things like stings, we need to catch the crime in progress or confirm it after the fact to get a conviction. But the purpose of security isn’t the same as that of law enforcement (and I kind of wonder if we shouldn’t fix law enforcement) with security it should be about prevention not incrimination. In fact, I believe, even if you catch the person who drove the breach, security has failed.
Employees do stupid things, part of our jobs should be to both understand and mitigate that risk. In the end, this latest breach was not only preventable, but it destroyed a life when it didn’t have to and that may have been the bigger problem.
You know, it strikes me that it may be time to have a chat with our kids as well about this kind of mistake. The next young person who destroys their life could be your kid…