We almost never hear a good word about the United States Postal Service, but today, we’re going to change that. The USPS manages more than 31,000 retail locations, and employ more than 500,000 workers across the United States. The technology involved with managing something that large takes careful planning and tedious management. That’s why we applaud them for doing what every business, no matter the size, should do, and that is go through the painful process of auditing its data loss prevention (DLP) and mobile device management (MDM) strategies.
What did they find?
Their internal DLP and MDM controls needed to be tightened because their own employees’ pose a security risk that could lead to not only data loss, but data being released into the hands of nefarious individuals.
The USPS released its findings, although heavily redacted, in an End User Data Loss Prevention Audit Report in April 2015. In a nutshell, this is what it said:
“We determined the DLP and mobile device management systems do not operate effectively to prevent internal users from sending sensitive information outside the Postal Service network. Sensitive information includes personally identifiable, financial or proprietary information, and other business-sensitive data.”
They found a workforce not fully informed about the service options available with their document management and data backup systems, and one whose mobile device policy left gaping security holes in the system.
A data backup plan isn’t much of a data backup plan unless it’s A) actually used, and B) tested regularly to make sure it is still working. There seems to be some of that in the case of the USPS from what can be gleaned from the report, but on a small business level, this is often the single biggest data protection oversight we find among the businesses for whom we’ve performed data backup and security audits. We too often discover security loopholes, irregular data backup schedules, and no quality control checks whatsoever during our audits.
Most security measures are put in place to protect data from outside entities trying to access it, but more and more the threat of data loss is becoming an in-house security issue, as the USPS found in its report.
Nearly everyone has some kind of mobile device in their pocket, or bag, and their access to information on your server should be aggressively monitored and managed. This isn’t to say your employees are out to get you and intentionally want to disrupt your business. That is not typically the case at all. The issue comes from those accidents and mistakes that are bound to happen.
“An iPhone was found over by the _____. If you are missing yours, let us know here at the information booth.”
Twice in the past two weeks I have been at events where that announcement was made. It happens. If it happens and that phone has remote access to sensitive data, then it could be used for nefarious means.
So when we saw an article about the recent USPS internal data loss prevention audit, we had to applaud the effort, and share their story on our site.
DLP is treated as a set it and forget it technical function, and nothing can be further from the truth. Unfortunately, protecting data is not a set-it-and-forget-it endeavor. Without regular security updates and functionality checks on data backup, there should be little emotional security for business owners.
If you are a business owner seeking emotional security over your data and network, you might want to consider taking advantage of our Free Data Security Audit. It’s a pain-free, no-pressure audit where we evaluate your network, give you our findings and recommendations, and then go on our way.