SSA employees and contractors are only allowed to download software critical to SSA’s function and must receive written permission before doing so.
But SSA IG Patrick O’Carroll, whose report found nearly 200 malware attacks in a little under a year, said workers often break the rules. The report pinpointed seven cases, where unauthorized downloading led to malware attacks.
The report concludes SSA’s software approval process and monitoring policy need improvement.
Often, such nonstandard software can contain malicious code that can infect SSA’s operating system.
“These incidents could cause SSA’s network to operate inefficiently or ineffectively,” the report finds. “Further, the malicious software could extract personally identifiable information to be used for identity theft purposes.”
O’Carroll’s report recommends having all download permissions go through a central authority, such as the chief information officer. In some instances, the report finds, disciplinary action may be necessary.