My message to anyone responsible for security at an enterprise or government agency: When you hear about a major breach, don't just say, "Glad that wasn't us." Take a close look at what Target and Sony and the OPM could have done to stop the hackers, and then start doing those things yourself.
3. We underestimate the true value of information
Evidently few people ever considered the OPM as a storehouse of sensitive information. The information was not deemed valuable, and apparently the OPM just found cheap storage available from the Department of the Interior that was not designed to protect sensitive information. In government circles, if information isn't classified, it isn't seen as important. But personnel records actually can tell you a lot. You can not only learn the names of government workers; you can probably use them to figure out which ones are undercover operatives. And of course you can steal identities, fuel future social engineering attacks, launch credit card fraud and practice employment fraud.
When you're charged with safekeeping such records, what is important is not the value your bosses place on the information, but the value that your adversaries give it.
4. We don't give security adequate funding
Bad judgment often comes into play as well, but the fact is that most breaches have the potential to be avoided if more security resources are deployed.
This is particularly a problem for government agencies. Congress has cut funding for many of them to the point that they can't fulfill their core missions. Just look at the Department of Veterans Affairs, the target of much abuse because veterans have had to wait ridiculous amounts of time to see a doctor. There's a really simple solution: Hire more doctors and build more facilities. It's the agency's budget that puts that simple solution out of reach. The bottom line is that if agencies are not able to fund their root missions, they are not going to be able to properly fund supporting activities such as cybersecurity.
This is why it's a bit rich to see members of Congress fulminating about government-agency breaches and holding hearings to look into the matter. The truth is that, as the holders of the purse strings, Congress is a big part of the problem.
5. We get suckered into low-bid contracts
Even when cybersecurity has sufficient funding, cost can remain a major component of consideration when contracts are out to bid. The problem is that cost can override compelling security concerns. It has been reported that at the OPM, a low-bid contract resulted in Chinese nationals having access to the personnel files that the OPM stores. Did the OPM's managers think there was no danger in that arrangement, or were their hands tied because they had accepted that low bid?
Sign up for MIS Asia eNewsletters.