June 25, 2015

Government Data Breach? It’s More Likely Than You Think

Did you hear about the huge government data breach this past spring?

Computers at the Office of Personnel Management (OPM) were breached, and identifying information from at least 4 million current and former federal workers was compromised.

The OPM is the human resources department for the federal government, and it conducts background checks for security clearances.

The OPM breach was “among the most shocking because Americans may expect that federal computer networks are maintained with state of the art defenses,” said U.S. Rep. Adam Schiff of the House Permanent Select committee on Intelligence, in a reuters.com article.

The Identity Theft Resource Center Breach Report shows that the government/military sector does a good job. The sector accounted for only 11.7% of data breach incidents in 2014 – compared to the medical/healthcare industry, which accounted for 42.5% of the breaches, and the business sector at 33%.

According to ITRC, since 2005, 675 million records in total have been exposed in over 5,000 reported breaches.

The Department of Homeland Security and the FBI are now involved in the OPM breach, and so far, reports suggest China-based hackers are behind the cyber intrusion.

So what happens next?

Notification: The OPM will notify the 4 million people whose information was breached. The agency will offer credit monitoring and insurance for 18 months to people who may be affected by identity theft.

Security Precautions: IT departments are scrambling to make a range of improvements. For example, all federal agencies want to install two-factor authentication with smart cards, which will make it harder for intruders to access networks. According to nextgov.com, the White House is also mandating public federal websites to switch to a more secure Internet connection standard by the end of 2016.

Safeguards Reviews: There will be a review of the intrusion detection system, called EINSTEIN, which screens internet traffic for cyber threats. The OPM may determine that outsourcing this security requirement may be a better option. “It’s clear that a substantial improvement in our cyber databases and defenses is perilously overdue,” said Schiff.

Calls for New Legislation : While cyber security White House goals are clear with President Obama’s cyber security legislative proposal, other legislation will likely be introduced too. The Wall Street Journal reported that Majority Leader Mitch McConnell “plans to use the annual defense policy bill to move the issue forward”. The bill would require companies to share information about breaches with the government and others in industry.

Employee Training: The 2014 Data Breach Investigations Report by Verizon showed that in the Public Sector, the most frequent breach incidents were caused by errors (34%), insider misuse (24%), crimeware (21%), and lost/stolen assets (19%). Comprehensive employee training must be part of every workplace’s information security policy.

Digitizing Records: To meet regulatory obligations – and avoid accusations of cover-up and incompetence – federal agencies must get serious about digitizing records, writes Ellis Booker at informationweek.com.

Better Records Management: Documents must be securely stored and easily retrievable by employees who have the right clearance as well. A comprehensive document management policy includes secure document destruction too, whether documents are paper or e-media, when documents are no longer needed.

Workplaces are urged to outsource document destruction because it helps to reduce the risk of insider fraud and can save money.