Times change, but threats remain

“From an individual’s standpoint, access to electronic versions of classified documents is out of control.”  

“It seems amazing that so few are allowed to control so much – apparently with little or no supervision or security audits.”

These statements are taken from an NSA internal document, and perfectly encapsulate how Edward Snowden was able to access and leak enormous amounts of classified material in 2013.  Yet the document was written by an NSA analyst in 1991 – 22 years prior to last year’s highly-publicised leaks, and at a time when most people had not even used a personal computer, let alone heard of the Internet.

Another extract from the document, which was recently declassified and discovered by Cryptome (http://cryptome.org/2014/01/nsa-rogue-sysadmins.htm), predicts with remarkable accuracy how Snowden – a sysadmin for NSA contractor Booz Allen – would be able to gather a library of sensitive material:

“A relatively small number of system administrators are able to read, copy, move, alter, and destroy almost every piece of classified information handled by a given agency or organization.

While the document focuses more on the risks of a foreign power recruiting spies from amongst US Government IT employees than on internal leaks, the principle remains that certain key staff within any organisation will have in-depth access to its most secret, sensitive material.  So how should organisations protect their data and themselves against the risks of damaging data leaks and losses – whether accidental, or malicious?

The first step is for organisations to evaluate their exposure to risk, including what types of sensitive data they have on their networks, and establish exactly what’s at stake should sensitive data leak.  They can those potential risks against the measures needed to counter and manage them, in terms of employee training, establishing new policies, controlling access to material and protecting data by encryption or other means.

While times have changed, and we all have access to computing power that was scarcely imaginable back in 1991 when that NSA document was originally written, the threat of data breaches remains, and is stronger than ever.