The 2012 NASA data breach taught the world a lesson about IT asset management and cybersecurity, especially as it relates to municipalities. Dead Reading reported that, while “only” 10,000 NASA employees were affected by the data breach – a huge number in lay terms, but a relatively small number compared to some of the more disastrous data breaches – it was the way in which the breach occurred that shocked people the most.
Lessons Learned from the 2012 NASA Breach
Unencrypted information, including personally identifiable information relating to employees, was transferred from NASA’s database to a laptop and was then left in an employee’s car. The employee went to a Halloween party and the car was subsequently broken into, and the laptop stolen.
While the employee was authorized to access the information, the data should never have been allowed to be transferred unencrypted to a laptop, and worse, the laptop should never have been left unattended in an employee’s car.
Applications to Municipalities
What does the NASA breach have to do with potential data breaches in municipalities? Info Security magazine reported that many local governments and municipalities still rely on outdated technology to control their data, including legacy file storage. While the private sector moves towards centrally managed cloud-based data storage solutions, municipalities – that are subject to limitations that the private sector is not – often find it difficult to move towards new technological solutions.
The Center for Digital Government produced its Advanced Cyber Threats in State and Local Government research survey, which showed the disparity between security being identified as a priority, and the organization feeling prepared for an actual breach. While 32% of state and local government respondents ranked cyber security as a “very high” priority, only 11% felt that their organization was “very well prepared” to respond following an attack.
Image courtesy Center for Digital Government, “Advanced Cyber Threats in State and Local Government”
Issues Preventing Municipalities from Managing Vulnerabilities
Four main issues have been identified which go some way towards explaining why local governments, councils, and municipalities can find it difficult to stay on top of data breach vulnerabilities, despite their best intentions.
Budget Squeeze. Government departments and other public offices have budget issues that the private sector generally does not have to contend with. Even when council employees and IT departments identify ways in which they could strengthen their security, budgetary constraints can sometimes make new expenditure impossible.
Protocols and Compliance. Unfortunately, it is often those who know the least about current data security issues that are tasked with creating data security policies that must be complied with. In other instances, policies are so outdated that they present more of an impediment to actual data security than anything.
Long Buying Cycles. Tediously long buying cycles, often coupled with mandatory requests for proposal (RFPs), can slow down the buying process to the point in which technology that was considered new and secure at the time it was identified, becomes outdated or even redundant by the time it can be procured.
Shadow IT. The above issues inevitably lead to an increase in shadow IT – unofficial IT systems and software solutions put into place and utilized without official approval. And it is within shadow IT that many data breaches come about for councils, local governments, and municipalities.
Practical Ways to Deal with Shadow IT
When shadow IT comes into play, data breaches like that that occurred to NASA in 2012 become much more likely. When people create their own IT systems or bring their own devices from home – usually out of necessity rather than any sense of wrongdoing – data is inevitably removed from its central, authorized storage.
A laptop left in an employee’s car can be stolen (as it was in the NASA data breach) or an employee’s personal thumb drive could infect the entire system with a trojan horse virus.
Where shadow IT occurs within municipalities, it must be identified and brought to the fore. A data recycling company like All Green Recycling can help departments respond to the introduced risks, by offering certified data wiping and hard drive degaussing, among other solutions, to keep data secure.
Contact All Green Recycling today to find out more.