Government Worker Privacy Survey Improper Exposure of Official Use, Sensitive, and Classified Materials
1 Introduction Data privacy is a growing concern for the US government as employees conduct business outside of secure environments, analysts and operators with varying degrees of clearance conduct their mission in shared operations centers and office space, and the military and field agents conduct remote operations and deployments to their mission destinations. The IT security industry has focused primarily on protecting the network and device layers, without much consideration of the most outward facing risk the last 2 feet from the computer screen to the user. This vulnerable expanse, if compromised, puts both the individual and the organization at risk. Government employees are often put in even more vulnerable situations than their commercial counterparts due to the nature of their business. They are direct targets from nation states, terrorists, organized crime and other nefarious sources attempting to better their position by stealing intellectual property and national secrets. In December of 2011, we released the results of a mobile worker privacy survey that highlighted the lack of protections in the commercial space for preventing data leakage from over- the- shoulder eavesdroppers. Those survey results are summarized in the OptioLabs Mobile Worker Privacy Survey Whitepaper available at: http:///resources/mobile- worker- privacy- study/. The purpose of this new study is to look at the Federal workplace to understand the types of documents being viewed on government computers and how they are protected. At the 2012 FOSE Conference & Exposition in Washington D.C., we conducted a new survey to capture the thoughts and opinions of the government community. We presented the same set of questions that were asked of their commercial counterparts. Interestingly enough, we found that while the government cohort considered display security a high priority, not many were doing anything about it. There has always been a sense that the government takes security much more seriously than the private sector, but this study found that both government and commercial organizations are about equal when it comes to data loss vulnerability. Even more concerning is the type of data at risk for exposure, including For Official Use Only (FOUO) and classified government information. The survey found that 60 percent of respondents use their computers in public places to view sensitive information. In fact, most respondents indicated they work with multiple types of sensitive information. Fifty- seven percent stated that they work with financial/credit card data; 18 percent work with For Official Use Only (FOUO) information (this is primarily used by the United States Department of Defense as a handling instruction for Controlled Unclassified Information); 18 percent work with human resources data and 19 percent work with classified information. We randomly selected over 100 people for this survey. Throughout this report, we outline our results and make comparisons to the commercial mobile worker survey that support our claim that neither commercial industry or government agencies are doing enough to prevent data loss through visual means.
Contents Introduction... 1 Government Not Protecting Critical Data In Public... 3 False Sense of Security... 4 Data Exposure... 5 Government Data Remains Exposed... 6 Government Survey Results... 7 1. How often do you use your computer in public spaces?... 7 2. How often are you concerned about other people looking at your display?... 8 3. What do you use your computer for: Business, Personal, Both... 9 4. How often have you looked at someone else s display without their knowledge?... 10 5. Do you use a screen privacy solution?... 11 6. What kinds of data do you work with that require privacy?... 12 7. How often have you worked with private information outside of the office?... 13 8. If only you could view your screen, would you be more productive in public places?... 14 9. How important is privacy to you?... 15 Survey Demographics... 16 10. Are you male or female?... 16 11. Which category below includes your age?... 17 12. What job level do you perform in your organization?... 18 13. What industry do you work in?... 19 14. Who is your employer?... 20 About OptioLabs... 21 2
3 Government Not Protecting Critical Data In Public While most expect the government to operate in a much safer working environment, we found that both government and commercial organizations are about equal when it comes to data loss vulnerability. Late in 2011 the company executed a survey of mobile workers in the private sector that showed strikingly similar results to this new government study. Our survey found that 99% of Government and Commercial users value data privacy; yet less than 20% use some form of screen protection. Government and commercial users both place a high value on privacy of data, but neither put much effort in taking action to protect or prevent data loss through visual eavesdropping. One might think the government would take much greater efforts to protect their critical information, however, our results show that only 18% use some form of screen protection. In comparison, 12% of workers use screen protection in the commercial space. Of the 18% using protection, 15% use a plastic filter while 3% use some form of software protection. Figure 1: Summary Results
4 False Sense of Security It is well known that foreign entities target government employees, executives and their computer systems in efforts to exploit intellectual property and extract valuable information. All government departments recognize the issue and have IT policies, systems and procedures in place to minimize potential losses. With this degree of attention and in light of several well publicized breaches it was surprising to find that only 75% of those surveyed expressed concern about people looking at private information on their computer displays in public places and 62% admitted to looking at other people s displays regularly. Why displays are not part of existing IT security policy is a puzzle that may be partly attributed to a false sense of security and a lack of education on the threat. Government workers are less concerned about privacy of data at the visual endpoint than commercial mobile workers and may not appreciate their risk of exposure. As is the case in the private sector, the public sector values productivity beyond the boundaries of the work environment. Our survey shows that 41% of the government cohort believes that having the ability to work outside of the office will increase productivity while the commercial statistic of 52% is fairly comparable. As mobile technology continues to be adopted by the government this opportunities for the adversary will only grow. Figure 2: Threat and Productivity Comparison
5 Data Exposure 60 percent of respondents indicated using a computer in a public place with confidential information on their computer screens and 69% admit to working on sensitive information outside of the office. The top four data types exposed in public places, in order, are: 1. Financial/Credit Card Information (57 percent) 2. Classified and FOUO Information (47 percent) 3. Personal Information (SSNs, Medical, Human Resources) (44 percent) 4. Proprietary / Trade Secret (18 percent) Sensitive data such as financial results and credit card numbers, classified and FOUO information, personal records, healthcare records, and intellectual property are being regularly exposed. Figure 3: Types of Data Exposed The impact of individuals not protecting data on computer screens has serious financial consequences for all organizations. In 2008 the U.S. Secret Service and Carnegie Mellon CERT performed an in- depth study of insider incidents at a wide variety of government, financial, IT and telecommunication entities. Their study revealed that 42% of incidents began with simple observation of unprotected computer screens, resulting in an average cost of $400,000 per incident.
6 Government Data Remains Exposed While protecting data on computers is top of mind for everyone, most organizations are focused on conventional security technologies such as anti- virus software, personal firewalls and spam filters. The WikiLeaks episode clearly revealed one crucial fact the government did not have adequate protections on sensitive data, and the status quo of traditional security tools and official policy could not stop a breach. Besides tightening up controls on removable media, WikiLeaks underscores the need for the government to start looking at a system the way an attacker does by looking for the weakest links. The majority of breaches are made through social engineering attacks that start with simple observation. Adversaries, especially insiders, start by observing computer screens surreptitiously to launch their attacks. Government needs to start looking for weakest links just like the attacker does. Preventing data leakage is a high priority within the government and yet one of the easiest access points, the computer screen, is being overlooked. Over- the- shoulder reconnaissance reveals what is available, where it is, and who has access to it all the ingredients an adversary needs to succeed at a data breach. The traditional tools for protecting computer screens from data leakage are the ever- unpopular plastic privacy filters, but even if they are used they are ineffective at stopping a breach. All it takes is a direct view from behind the user to get a clear view of the screen. Clearly the government needs a more effective technology solution for securing displayed information. Studies of security breaches by the U.S. Secret Service, Verizon Business, Carnegie Mellon and others consistently reveal insiders are causing 30% to 50% of incidents. Social engineers, disgruntled employees, suppliers, and competitors can be adept at maneuvering around strong controls to exploit points of weakness, including simply looking over someone s shoulder to steal information directly from the screen. With insider incidents costing organizations an average of $750,000 per year, the stakes are high. Even the U.S. Government has recognized the issue and in 2010 updated the legal definition of Computer Trespassing to include looking at a computer screen that an individual was not authorized to view. While the new statute makes it easier to prosecute social engineers, catching them remains the primary challenge. What s lacking are technical security solutions to protect information over the last two feet of the network: from the screen to the user s eyes. OptioLabs will continue to expand the survey results with ongoing surveys of consumers, enterprise, and government mobile workers. Our goal is to raise awareness as a first step in helping organizations to recognize and solve this growing challenge.
7 Government Survey Results The following section details responses to the questions posed during the survey. 1. How often do you use your computer in public spaces?
8 2. How often are you concerned about other people looking at your display?
9 3. What do you use your computer for: Business, Personal, Both
10 4. How often have you looked at someone else s display without their knowledge?
11 5. Do you use a screen privacy solution?
12 6. What kinds of data do you work with that require privacy?
13 7. How often have you worked with private information outside of the office?
14 8. If only you could view your screen, would you be more productive in public places?
15 9. How important is privacy to you?
16 Survey Demographics The following section details all of the demographics of the people who completed the survey. 10. Are you male or female?
17 11. Which category below includes your age?
18 12. What job level do you perform in your organization?
19 13. What industry do you work in?
20 14. Who is your employer?
About OptioLabs Computer screens are the last unprotected frontier in information security. You secure your networks and your hard drives, but how do you secure displayed data from unauthorized viewers? Prying eyes are everywhere from insider threats in the office to competitors in the airport. Developed by a team of security experts, PrivateEye Enterprise from OptioLabs is security software for organizations that need to control proprietary and regulated information displayed on Windows desktops, laptops, and tablets. PrivateEye Enterprise actively prevents visual eavesdroppers by blurring the display on a device whenever an authorized user is not paying attention. It looks for potential visual eavesdroppers nearby and will warn the user or automatically protect the display whenever one is detected. It s convenient for the user, automatically recognizing their faces so that they don t have to type passwords, but it is tough on potential intruders. Anyone attempting to break in to an unattended workstation will have their picture taken and recorded in an audit log. For enterprises needing to comply with regulations, PrivateEye Enterprise s audit trail gives a whole new level of evidence that can be used to prove data on displays is continuously protected against unauthorized disclosure. PrivateEye Enterprise is a product you can depend on to protect your data. OptioLabs develops transformational security products for the mobile enterprise and embedded systems. Led by a world- class team of technologists, and leveraging innovations developed for national security protocols, OptioLabs has pioneered game- changing advanced security solutions for the world's leading mobile platforms. With offices in Baltimore and Nashville, Tennessee, OptioLabs customers include federal agencies, commercial enterprises, and device manufacturers. 21 Contact sales@optiolabs.com 443-275- 9253 323 West Camden Street Suite 801 Baltimore, Maryland 21201 Download a free trial of PrivateEye Enterprise at http://. 2016 OptioLabs Inc.