Over the years we have seen the headlines time and time again of breaches into networks where personal information is compromised. Most recently it was Target and Home Depot. This begs the question: were they all hacked or is this merely the story that was fed to the media? So, how safe is your personal information at work? By personal information I am addressing specifically social security numbers, birth dates, home phone numbers, and even location/identities of undercover officers.
Dr. Eric Cole from the SANS institute published a paper in Aug 2014 on this very topic. In it he stated:
“Many people think of law enforcement organizations as tracking down and arresting criminals, not being the target of the criminals. However, based on the valuable information such agencies have at their disposal, they are—and continue to be—a target of attack. The fact that law enforcement agencies are the target of a range of attacks is not very surprising. So, law enforcement organizations have invested considerable resources into protecting their assets. The problem is that they have invested considerable effort and energy in building a robust, secure network to protect the servers within the environment. Although network protection is critical, because servers contain the information and networks provide access to that information, the network often is not the weakest link. Many adversaries have recognized that breaking into a well-configured and secure server is very difficult. Therefore, they are now targeting an operating system that is hard to control and impossible to patch. That operating system is the human operating system, and the human being, as the target, represents the insider threat.”
Based on that expert opinion, it would appear our police department should be very cautious about the “insider threat.”
As many of you may or may not know, the Phoenix Police Department is moving to what is referred to as a two-factor authentication system for security purposes. It will include a password and your fingerprint to log on. This helps lessen the threat to the security of our network, but it doesn’t address all of it. There is still the “human operating system”.
For decades the Phoenix Police department has required a background check, fingerprints and a polygraph of every employee in the police department. An important point especially considering the sensitive data both sworn and civilian employees have access to, but recently that has changed. PLEA has learned that we have compromised our personal security. There are several employees in the department today with access to sensitive information who have refused or have never been forced to comply with the polygraph examination. Those same employees have access to all of our personal information. While polygraphs may not be 100% accurate, we can probably all agree that if a new hire or an existing employee with something to hide knows they have to pass a polygraph to get the job, they probably won’t apply. The intimidation factor alone will keep many at bay. And what about the employee who refuses to take a polygraph examination as a condition of employment during the hiring process? Shouldn’t that set off red flags for a police agency wondering what they have to hide? We should be all be concerned for our personal information. Lowering the standards for employment, especially for those with access to our computer databases, is not addressing the issue of the “human operating system”. Instead of being security conscious, we knowingly hire persons for sensitive positions who refuse to be polygraphed simply because they have a skill set that we need. The Department consciously allows this to happen knowing it is chipping away at our security and essentially welcoming the breach with open arms.