The extensive online porn-accessing habit of an employee of a US government department known as the US Geological Survey (USGS) is being blamed for a government computer network becoming infected with malware.
In an investigation, highlighted in a paper (published online) by the US Office of the Inspector General, it was discovered that the unnamed employee is alleged to have accessed 9,000 pages on adult pornography websites.
It is believed that the infection of the government network happened after the employee used their work laptop to visit pornographic websites, some of which originated in Russia and contained malware, thereby compromising and infecting the laptop. It was from this laptop that the malware was able to spread to the government network.
The employee is also reported to have saved images from the infected websites onto an unauthorised USB device, and to a personal Android phone that was connected to the government-issued computer. This resulted in the Android phone also becoming infected with malware.
The big risk with malware is, of course, that it is designed to steal information and spread to other systems, and in the case of ransomware, for example, to destroy files, lock-down systems, and extort money.
In the UK, a government report from April this year found that nearly half the businesses in the UK have fallen victim to cyber attacks or security breaches in the last year, and that the most common breaches involved fraudulent emails e.g. phishing, attempts by scammers to impersonate the organisation online, as well as viruses and malware. The annual Verizon data breach investigations report from April showed that ransomware is the most popular form of malware used in cyber-attacks, and this type of malware is responsible for 40% of all successful malware attacks. The use of ransomware has doubled over the last year.
What Does This Mean For Your Business?
In this case, the use of USB devices and government computers for personal use was against the rules, but this didn’t appear to be actively monitored and / or enforced. As the government department discovered to their cost, and too late, it may have been better to address such obvious security vulnerabilities by restricting web access to certain types of websites (and monitoring this), disabling USB connections on government-issued computers, providing IT security training, and developing a well-communicated IT security policy.
This story also highlights the risks of policies such as ‘bring your own device’ in businesses. BYOD policies allow employees to bring in their personally owned laptops, tablets, smart-phones and even storage devices, and use them to access company information and applications, and solve work problems. Unfortunately, as shown in this story and in a study by SME card payment services firm Paymentsense back in May, BYOD schemes and using USB storage devices can increase the cyber-security risks for businesses and organisations. The most popular types of BYOD security incidents in the last 12 months include malware, which affected two-thirds (65%) of SMEs, and viruses (42%).
These days, secure cloud storage and storage on secure company systems are provided, and this, combined with adequate security training and forbidding the use of USB ports (closing USB ports) on company computers could be ways of minimising this kind of security risk for many businesses.