The FDIC has had a rough year. Early on this year, the Office of Management and Budget said in their annual report that the Federal Deposit Insurance Corporation (FDIC) was involved in 10 out of 16 major data breaches. The systems in the FDIC permitted employees to download personal information to USBs and other removable media. This is normally not allowed in public sector institutions. In September, the Inspector General’s report sent more alarms that over the last two years there have been more than 50 data breaches at the FDIC. Naturally, this caused some panic in leadership at the FDIC. We reached out to interview an employee to get some perspective on what has happened since.
Interviewer: The Inspector General’s report on the FDIC came out recently can you tell me about your perspective on the ground?
Well it has been chaotic around here to be honest, managers are all scrambling to read the full report and address the vulnerabilities. Management was swift in stepping up their cyber security efforts. Makes sense because some of those breaches were caused by employees not following policy.
Interviewer: So of those multiple data breaches in the last year, some were because of insiders?
Yes, but not anyone intentionally trying to access unauthorized areas. I personally have only encountered two data breaches here. This report really caught management, or well almost everyone off guard. So now there is a rush to tighten up security here. I know cyber security has been of big concern in other federal organizations, but it seems like this year it was elevated.
Interviewer: Do you expect management to sustain their sense of urgency when it comes to cyber security now?
Absolutely! The thing is, here, cyber security has always been a priority, but as a public institution we are accountable to the public for data that we mismanage. Information security or cyber security as it is called now, has always been a principal concern. With data breaches happening every day, it seems there is no way to ignore the problem. It was just a surprise to us all that we have had more than 50 data breaches in one year. When it comes to data, I don’t think you will find a private institution that has historically taken security as serious as the public sector has.
Interviewer: Do you think the IG report was fair and comprehensive?
I do actually, I’m very glad that it has revealed some shortcomings we didn’t notice. In IT, we work closely with the cyber security team, so we saw, very quickly, how fast changes started being made. The IG reports are always a wake up call for any organization. It’s the equivalent of when an auditor comes to a company. You want to make sure everything is operating exactly as it should be. The difference is that IG reports are public and can be accessed by anyone.
Well, they never really go away, especially in the public sector. Even an organization as neutral as the FDIC can be a problem for one of the employees here or the vendors that work with us. People always have their political motivations in the public sector. One of the problems recently across government are internal activist coalitions. They generally talk about internal operations on social media and make public any internal strife. If a hacker decides to take advantage of that it would be easy to do so. They’re also clearly able to get around any security protocols in place so we need stronger insider threat solutions, especially considering today’s political climate.
Interviewer: If you had a word of advice for public sector employees, what would it be?
Stay vigilant! Seriously, most of us are just trying to do our jobs and serve people. It doesn’t help the public when we stay silent when we see suspicious behavior at work. Also make sure you never use any external devices such as USBs at work. That was one of our shortcomings published at the FDIC that lead to so many breaches.
We’re able to see from this interview that there were a few areas the FDIC could work on which they’re likely tackling now. While those specific areas were discussed, we were asked not to publish them until they were actively being resolved. Insider threats have been one of the main drivers of issues at the FDIC, and systems to prevent insider incidents from happening. It’s like the employee said above, the FDIC and other public institutions take security very seriously. However, it would seem that developing a security culture is a challenge in the public sector due to individualist cultural attitudes in the wider country. When everyone is out for themselves, collective benefits can be ignored quite regularly or glossed over.
We will continue to provide more interviews, and reflect on the topics that come about as a result of cyber security revelations.
Insider Threats, 2018 Security Concerns, GDPR: An Interview with Troy Hunt
How Government Agencies Can Shift from Reactive to Proactive Insider Threat Defense
How States Can Improve Cyber Security on a Budget
NIS Directive on Cyber Security: How Your Business Can Stay Compliant