There’s been a lot written about WikiLeaks over the past few weeks–some of it fair and some a bit off base. No question that there was a security breach related to classified documents ending up on WikiLeaks but it is important to dig a bit further to define what may have gone wrong.

Here are the elements of security involved and where a breakdown may have occurred:

1. Data classification. Every organization creates a lot of data but not all data has the same value. To distinguish between pedestrian and top secret data, many organizations employ some type of taxonomy for data classification. This should create a hierarchy of data, from public to top secret, where each type of data has different access policies and security controls. This is what should happen but it often doesn’t. In a 2009 ESG Research survey, 33% of the security professionals surveyed rated their enterprise organization as either “fair” or “poor” at classifying and tracking confidential data. The point here is that most organizations have sensitive data around that is not treated as such.
2. Access control. Access to sensitive data should adhere to the principle of least privilege which means that the data should only be accessible by users who need to see it to do their jobs. Easier said than done. If data is too restricted, workers complain, and there is a general feeling that data visibility leads to creativity and productivity. It is likely that people who shouldn’t have had access to the WikiLeaks documents did.
3. Acceptable use policy. These policies define what employees can and can’t do with sensitive data. Everyone has them but few organizations make sure that users read them, understand them, and know the ramifications of a policy violation.
4. User behavior monitoring. I know this one sounds Orwellian and to some extent it is but there has to be an audit trail indicating who accessed which sensitive documents. Some organizations go further and either restrict what users can do with these documents (i.e., digital rights management or enterprise rights management), or at least monitor what they actually do when they access sensitive documents (i.e., email them, print them, save them to a USB drive, etc.). Again, this isn’t easy to do and in my opinion many organizations either don’t monitor user behavior at all or don’t do it very well.
5. Insider attacks. Most large organizations have their fair share of alienated employees willing to expose or steal sensitive data. This is especially problematic if these malcontents work in IT or have especially high security privileges. Obviously, the problem gets worse if alienated employees work at organizations with poor security controls, weak policies, AND lots of sensitive data.

It’s easy to point fingers at the State Department or Federal Government but any security professional can tell you that these problems are fairly pervasive. In fact, see the recent ESG Research Report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the US Critical Infrastructure,” for more alarming data about how vulnerable we are (the report can be downloaded at www.enterprisestrategygroup.com).

The sooner we realize and address these cyber security vulnerabilities, the better. This won’t eliminate breaches like the embarrassing WikiLeaks events, but it will lower the risk.

Related posts:

1. WikiLeaks, Critical Infrastructure, and Cyber Security
2. Corporate Executives Remain Lukewarm on Cyber Security
3. Cyber Stowaways
4. Critical Infrastructure Organizations Want Cyber Security Help From the Government
5. New ESG Research Report Points To Security Vulnerabilities In the US Critical Infrastructure

Tags: acceptable use policy, access control, cyber security, data classification, insider attack, principle of least privilege, Security, State Department, US Federal Government, user behavior monitoring, WikiLeaks