MoD partners playing fast and loose with confidential data

Data breaches arising from actions taken at private sector partners of the Ministry of Defence (MoD) have seen a dramatic spike over the past 12 months, according to documents shared with Sky News under freedom of information (FoI) laws.

The heavily redacted tranche of documents seems to show that the MoD’s Defence Industry Warning Advice and Reporting Point (Warp) received notice of 151 incidents during 2020, up from 75 in 2019.

Among the incidents detailed are numerous incidents of information being shared via personal email accounts – leaving highly classified information potentially exposed to malicious actors and hostile states, phishing attacks, misconfigured infrastructure, and compromises to MoD-owned IT systems, as well as breaches of physical security at military installations.

An MoD spokesperson told Sky News that the department takes security “very seriously” and is continually looking to improve its incident reporting procedures.

“We have recently introduced policy, processes and tools to make internal and external reporting easier and more efficient, and the increase in reports can be largely attributed to these improvements,” said the spokesperson.

As well as the recent launch of the Warp reporting system, the uptick in incidents may also reflect the often inadvertent relaxation of controls and standards among remote workers during the pandemic.

Carl Wearn, head of e-crime at Mimecast, commented: “The pandemic forced many organisations to work remotely for the first time, creating a real blur between employees’ professional and personal lives. This causes a real headache for cyber security as they no longer have complete visibility into employee activity and many people pick up poor cyber security habits.”

Wearn highlighted recent Mimecast research that highlighted 63% of Britons had used personal devices to access their employers’ corporate systems, and 60% had forwarded personal emails to professional ones and vice versa.

“This failure to follow basic cyber hygiene can have huge repercussions for organisations both financially and from a reputation perspective, and in this instance could have even seen data fall into hostile hands. Now is the time to prioritise cyber hygiene awareness training to ensure employees returning to the office will be proficient in keeping the business, and any data, secure,” said Wearn.

Tessian CEO and co-founder Tim Sadler agreed the sharing of data to personal email accounts was a far bigger problem than most organisations cared to realise.

“According to our data, employees send company sensitive information to personal email accounts 38 times [more] often than their IT and security leaders expect,” said Sadler.

“The problem is that data loss prevention has only been made more challenging since staff have been working remotely as employees send data to their personal accounts to print out or work on documents on home devices. While it might seem harmless, highly sensitive information in those emails now sits in an environment that is not secured by the company, leaving it vulnerable to cyber criminals.”

He added that the MoD’s experience should be a reminder to its contractors and others to highlight and enforce data sharing policies and put procedures in place to clamp down on such data loss incidents.