In this series of posts, we review recommendations for workplace cyber security published by the Communications Security Establishment Canada. Today, we offer commentary on CSEC’s Top 10 recommendations for strengthening cyber security.
The Communications Security Establishment Canada’s (CSEC) Top 10 IT Security Actions bulletin offers ten recommendations that promise to eliminate the vast majority of cyber threats that currently affect Government of Canada networks. Most of these recommendations are highly relevant to other public and private sector organizations as well. The Top 10, described in more detail on CSEC’s website, are:
- Use Shared Services Canada (SSC) Internet gateways
- Patch operating systems and applications
- Enforce the management of administrative privileges
- Harden operating systems
- Segment and separate information
- Provide tailored awareness and training
- Manage devices at the enterprise level
- Apply protection at the host level
- Isolate web-facing applications
- Implement application whitelisting
We would suggest that not only federal government organizations, but all organizations consider implementing these recommendations to reduce their vulnerability to cyber threats. The Top 10 actions very effectively address the most common categories of cyber security risks to affect every workplace: external hacking and common employee mistakes.
Addressing Insider Threats
However, implementing CSEC’s Top 10 recommendations will not significantly help to protect against rarer, but potentially much more serious insider threats. These are not only a danger to security agencies and high-level government offices. In recent years, insider threats have affected numerous healthcare and social service organizations, as well as private corporations. For example, Ontario has seen several incidents involving hospital employees selling patient information or looking up ex-spouses’ health records. Accidental insider breaches, such as lost laptops, can cause just as much damage.
CSEC’s recommendations assume that employees are generally trustworthy: that they access only what they are supposed to access for their work duties, that they pay attention to information about risks, and that they follow instructions on how to reduce risks. These assumptions may be true of the majority of employees, but not all. The only effective way to reduce the risk of an insider data breach is to limit employees’ access to sensitive data. Managers need to be fully aware of the extent of each employee’s access, and ask questions such as,
- Do employees have access to more data than they need to do their work?
- Do employees have access to enough personal information to perpetrate identity theft?
- Do employees have access to data sets that could be linked to reveal sensitive personal information?
Structuring Data Access on a Need-to-Know Basis
Large-scale breaches almost always start with employees having access to far more data than they need for their work. In many organizations, notably in healthcare, front-line service staff has total access to personal records databases. This means, for example, that a nurse could view patient records from another department, or even from another hospital within the same health network. The technical tools needed to implement customized employee access are widely available, but are not used nearly often enough.
Personal data is also often used for secondary purposes such as research and analysis. Typically, analysts are given de-identified data – datasets with personal identifiers removed. Yet de-identified data can still pose a risk to privacy, especially if the de-identification is done inexpertly. Which begs the question, why do analysts need data access at all? Analysts, unlike front-line service staff, do not actually need access to personal data; they need analytical tools to extract statistical results from datasets. Software is currently under development that will allow analysts to interact with datasets, running queries and obtaining results, without any access to raw personal data. With this type of technology, there will be no need to disclose personal data for secondary uses.
Many major breaches in recent years have been the result of ignoring a basic truth: no one needs access to the personal records of thousands, or hundreds of thousands, of individuals. Twenty years ago, when most organizations used paper records, physical safeguards limited the amount of data any one person could access; virtual safeguards are very capable of doing the same. New technologies also offer promising possibilities for expanding data analytics while protecting personal data. Creatively using technology to structure data access on a need-to-know basis can go a long way towards preventing the massive data breaches that currently threaten government organizations and private corporations alike.