Not surprisingly, I’ve heard from a lot of people regarding the announcement of the Office of Personnel Management (OPM) breach, but what Andy Hayter, security evangelist for G DATA, told me in an email jumped out at me – in part because of the imagery but also because it was eerily similar to a thought that I had. Hayter said:
I have to think that it must appear to threat actors all over the globe that the U.S. government's IT systems are full of holes, like Swiss cheese, and the response from the U.S. is to play whack-a-mole every time, in a valiant attempt to close each hole. With all of these attacks, it’s likely that each one is arming cyber criminals with exactly what they need and want to execute another one, and the vicious cycle continues. Unfortunately every time there's another breach on a Federal agency, it spells out our vulnerabilities loud and clear to our adversaries, letting them know there are many more opportunities for them to hack our systems and networks over and over again.
Whack-a-mole security. It really is easy to think that way. The OPM breach is just the latest – and perhaps most damaging because of the vast amount of data that could be compromised – incident within the federal government, and now we are at a point where we’re going to wait for the next incident to pop up.
However, I think we need to start putting government breaches in perspective. For example, after the OPM breach was announced, I had a conversation with a friend who was likely affected by this breach and may have also had his information compromised in the recent Penn State breach. He was more concerned about the OPM breach because, he believed, the government shouldn’t be hacked and because, being the government, it had all kinds of information on him. I said honestly, the same information was probably compromised in both breaches, but there is idea that the government has more information about you because it is the government.
After this breach was announced, I was watching different news shows that discussed the hack and the implications and the speculations. I wish I could remember who the person was who made the comment, but one security expert said something very true: The information that is compromised is the same information likely compromised in retail and health care breaches. We just don’t realize how much information about us is out there and stored on multitudes of servers. This thought was backed up in an email comment to me by Tsion Gonen, VP of Strategy, Identity & Data Protection with Gemalto:
Last year, theft of identities and personal information accounted for 54 percent of all data breaches according to the Breach Level Index. With the theft of this type of information on the rise and its use to conduct additional hacks like we saw with the IRS, it’s clear that companies and government agencies need to rethink their entire data security posture and look to stronger forms of data protection. This means they need to assume breaches will occur and place security controls directly on the data by using encryption. That way, if hackers get past the perimeter security and get to the data, it is useless to them because it is encrypted. Unfortunately, only a small percent of information is protected with encryption and that is usually just financial and highly sensitive data. Maybe it is time companies expand their use of encryption to include personal information, which is under increasing attack by cybercriminals.
The real difference is the players. We’re seeing more attacks that are more likely linked to cyber espionage than criminals just looking to make money on your data, but at the same time, cyber defenses are slow to make the adjustments to better protect this information.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba