After a data spill: Containing and repairing the damage

According to the Identify Theft Resource Center, U.S. companies and government agencies suffered a record 1,093 data breaches in 2016, a 40 percent increase from 2015. Not only are data spills becoming more prevalent, but the price tag associated with each is also on the rise. The 2016 Cost of Data Breach Study: Global Analysis released by the Ponemon Institute reports that the average total cost of a data breach for 383 companies surveyed increased from $3.79 to $4 million from 2015 to 2016.

Data spills, also known as data breaches or data leaks according to the National Initiative for Cybersecurity Careers and Studies, are the unauthorized movement or disclosure of classified or sensitive information to a party not authorized to possess or view the material. Unlike a hack, where an unauthorized user attempts to gain and maliciously use data, spills are usually the result of human error or carelessness.

Although many organizations have policies and procedures to promote best practices for securing data and avoiding spills, such as the National Institute of Standards and Technology’s Special Publication 800-14, spills still occur.

However, there are a few things agencies can do to minimize the damage of a spill after it happens:

1. Identify the data owner and declare the spill level. Organizations must first understand the type of spill that’s occurred. For government agencies, an information security officer or the originator of the information is responsible for determining if the spilled information is classified or not, assigning the appropriate level of classification and, when possible, declassifying the data. As there are multiple levels of network classifications (e.g., Top Secret, Secret, etc.), there are also different data spill levels that are defined by the number of classification levels the information travels through. A one-level spill means that information has been moved from a higher classified network to a lower classified network (e.g., from Top Secret to Secret) and so on. The spill level does not account for the type of data spilled; it only indicates the classification level of the networks that the data traversed. The spill level also determines the type of cleanup required.

2. Analyze the data to determine the impact.  The agency must assess both the in-house complications and any potential harm to national security, and quickly contain the spill. Once the spill level has been declared, analyze the data to understand the size of the spill, number of users impacted, the type of data spilled and the operational implications for the agency. Depending on the type of data the organization handles, spilled data might contain personally identifiable information, intellectual property, proprietary data or classified military or agency data. While some data leaked in isolation may be harmless, if paired with other leaked data, the combination could be catastrophic. Whatever the data level or type, agencies must decide how to contain and sanitize the affected systems.

Because data spills cost money (and often credibility), some organizations penalize the responsible party. Penalties can range from a fine and disciplinary action to loss of job and security clearance. It is therefore advisable to retain any evidence from the spill that documents the historical account of events as well as those responsible.

3. Clean the spill and return to regular operations. Once evidence has been collected and documented, agencies should clean the spill as rapidly and effectively as possible. Sanitization of the spill may take several forms and require tools like email filters and the Host Based Security System, the software the Defense Department uses to protect its networks. Most often, spills occur over email. While automation can be helpful for cleanup, in many cases a manual review may be more effective, although it can be more labor intensive and costly. Instead of just clicking a button and wiping a machine, technicians must go through the mailboxes (received, sent and trash folders) and also check all file folders where the email or spilled data may have been stored. For every new recipient of the spilled data found, that mailbox will also have to be sanitized. Depending on the type of data spilled and the recipients of the data, it may be necessary for the receiving organization to sanitize the data as well.

A variety of technical means may be employed for sanitization such as BCWipe, data shredder, data erasure or destruction of hardware. The tool and procedure are largely dependent on the severity of the spill.

Lastly, don’t forget  to clean the backups. The data of the actual spill and the amount of time that has lapsed since its detection will dictate how far into the backups sanitation needs to go. What’s critical to understand is that while sanitizing the backups is a necessary step, it also permanently removes all data needed in the event of a failover scenario, disaster recovery or continuity of operations event.

4. Document, train and learn from your mistakes. Documenting the spill is important not just from a legal standpoint, but also from a training perspective. If an agency decides to take corrective action, it’s important to have the facts documented to avoid confusion and false blame. As frustrating and potentially devastating as spills can be, they are also the best way to ensure they don’t happen again. Take the opportunity to turn the spill into documentation and training materials for agency staff. From new hires to executive leadership, make sure that everyone  understands how easily a data spill can occur and how severe the consequences can be for both the organization and those responsible.

5. Be willing to change. Leadership must understand that part of learning from past mistakes sometimes means changing the way things are done. In some cases, organizational or spatial circumstances may make it easy to spill data. For example, users who work on a classified system may also have access to an unclassified system, sometimes in the same workspace. Consider taking precautions to help the user remember which system they are on -- different desktop background, different password requirements -- or separate the systems completely. Too often, users just get buried in their work and unintentionally spill data because it’s just too easy to do so.

Conversely, some organizations make it frustrating for users to do their work within security parameters. For example, if a user has to log into a virtual machine through a remote desktop, then use a dated application that’s slow and cumbersome just to send a file over a classified network, it may be tempting to just send the file via email over the modernized non-classified network. Consider users’ needs and encourage best practices by making the right decisions the easy ones.

Data spills are inevitable; as long as humans are involved in handling, manipulating and communicating data, there will be a possibility of sharing that information with the wrong entity. And once it’s shared, no matter how quickly IT managers delete or undo it, it’s never completely gone. The best thing agencies can do is train personnel to prevent spills but also accept that spills will happen and have a plan in place to manage the spill and its impact.