When we think about an organization that would put far more focus on day-to-day productivity than cybersecurity, we probably think of a small business that doesn’t have much critical data, not the Central Intelligence Agency/CIA.  However, we can all learn from five key points released in the CIA’s own redacted debrief report:

1) They failed to rapidly detect security incidents.  What does your organization have in place for quick detection of unusual behaviors within your network?

2) The CIA failed to heed warning signs about employeesDisgruntled employees are a real threat as they often have access to data that you need to protect.  What policies such as “least privilege” for need to know access only, internal reporting of suspicious behavior, or technical controls and alerts to attempts to copy or erase data do you have in place? Do multiple employees share passwords or have administrator level access?

3) No one was made responsible to ensue that systems were implemented and maintained securely.  The best firewall in the world can’t protect you if it is not implemented properly or a rule is changed to allow any/all access for a quick solution to an access issue.  We see both of these issues regularly when we perform security and compliance assessments.

4) Known cybersecurity best practices were not enacted.  Knowledge only helps you if you take action on it. It is not unusual for us to see organizations who have had testing or assessment that exposed serious vulnerabilities years before we were brought in because of an incident.

5)  Legacy systems that hold sensitive data lacked any protections at all.  The key data that was stolen and exposed in the CIA’s breach was on an older system that no one was paying attention to, but that many employees still had access to. The CIA admitted in their report that if WikiLeaks had not made the world aware of the breach by publishing some of the stolen data, the CIA might never have realized they had been breached at all.  Do you have older systems and/or decades of data that may not be fully protected today?  What source(s) do you have to watch for exposed data that might be attributed to your organization?

I applaud Senator Ron Wyden’s open letter to John Ratcliffe, asking for answers and confirmation of when the recommendations for remediating their many issues will be implemented.