Despite new mandates, most government data security incidents are due to human error

The leak of world leaders' passport details by Australia's Department of Immigration and Border Protection made news around the world, but new figures suggest that such breaches are far from isolated incidents, with human error – and not outside hacking, as many might believe – the biggest source of compromise in government agencies.

It wasn't the first time DIBP was called out for leaking information: in February 2014, another human error led to the publication of the personal details of almost 10,000 asylum seekers on the agency's Web site.

Indeed, fully 80 percent of all security incidents within government agencies last year were due to human error, Verizon found after further analysis of nearly 80,000 security incidents previously presented in its 2015 Data Breach Investigations Report.

Those results will have many government security managers particularly concerned, as protection of privacy information has been a requirement for a long time and the newly revised Privacy Act controls impose significant sanctions on organisations that fail to protect their data appropriately.

Government IT-security professionals also face new mandates, such as the April order from the new Digital Transformation Office (DTO) that all government agencies must comply with all 36 Protective Security Policy Framework (PSPF) controls as well as the requirements of the Australian Signals Directorate's Information Security Manual (ISM).

With agencies expected to have laid down compliance plans by September, public-sector CSOs may be chagrined to hear Verizon's finding that agencies were far more vulnerable to attack than those in other sectors. In 78 percent of attacks against government agencies, hackers were able to compromise target systems within seconds; across all sectors, that figure was just 38 percent.

Half of attacks against government targets took hours to exfiltrate data from the system. And while most victims (35 percent of the total) became aware of the breaches within minutes, in 68 percent of cases it took days to contain the incident.

Some 19 percent of public sector security incidents (compared to 15 percent across all industries) related to physical theft and loss of information – a factor that the report suggests is “actually more of an issue in the public sector than elsewhere”.

An additional 25 percent (compared to 20 percent) of government security incidents were due to insider and privilege misuse, with 23 percent of those related to use of unapproved hardware like flash drives to take data out of the organisation.

Another 36 percent of incidents were attributed to 'miscellaneous errors' – a category that includes misdelivery of email and letters, which account for most errors in this category. This category, which includes both known DIBP breaches, was well up from the 28 percent rate across all industries and highlights the importance of cross-checking and quality control to avoid further incidents.

The security risks from human error have long been a significant anecdotal thorn in the side of security practitioners, but the new research suggests that government employees – who collectively deal in sensitive and usually personally identifiable information about ratepayers – are more susceptible than most.

“Any loss of sensitive citizen data, such as tax information or social security details, can cause a loss of public trust,” the report warns, recommending that agencies use quality checkpoints to ensure information is only sent to the intended recipient; analyse past mistakes and implement policies to avoid repeating them; and to undergo regular staff training to minimise the recurrence of human-related security issues.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

DROPQUOTE: In 78 percent of attacks against government agencies, hackers were able to compromise target systems within seconds; across all sectors, that figure was just 38 percent.