As the scale and frequency of mega breaches grows, “breach fatigue” is setting in with consumers and even IT professionals. That’s definitely the case with reports last week that China may be responsible for stealing records for 4 million employees from the US government’s Office of Personnel Management. But even after large data breaches at other US government agencies like the IRS, Department of State, and the White House, media and security professionals can still gain a wider learning from the recent news. In this case there were several, for both public and private sector organizations.
For one, as the article shared by American Cancer Society CIO Jay Ferro below suggests, this breach may serve as a wake up call for government agencies. While government CIOs have a tendency to think their employees function in relatively locked-down environments, the average government organization uses 742 cloud services. While cloud services are increasingly viewed as necessary and beneficial for organizations, what is concerning is the lack of awareness around this phenomenon: IT typically expects cloud usage is around one-tenth of the actual average. This issue is by no means limited to government agencies, as enterprise CIOs are often similarly
Second, the extended period of vulnerability and wide variety of data stolen illustrates the fact that combatting attackers is no longer as simple as keeping the perimeter secure. In this case, attackers were in the Office of Personnel Management (OPM) system for months and made out with a vast trove of data including many types of personal information about current and former employees. At this point, there are such extensive archives of personal information available on the Darknet that the initial break-in to a corporate system is almost a given.
— Jay Ferro (@jayferro) June 7, 2015
This last point is the message of an article shared by CAA CIO Michael Keithley, which declares that “trusted networks and systems just don’t exist.” Specifically, the author puts the spotlight on enterprises’ business partner environments. The average enterprise connects 1,555 business partners via cloud services, many of which do not maintain sound security policies.
Why Cybersecurity Needs to Be Adaptive https://t.co/1cZGAuOTCQ
— Michael Keithley (@mkeithley) June 7, 2015
A Reuters’ article shared by DeKalb County CIO John Matelski offers some numbers to bolster the concern around this area of vulnerability. 30% of banking organizations surveyed did not require outside vendors to notify them of breaches, and an examination of 57 broker-dealers and 49 investment advisers showed that the majority had experienced cyber attacks directly or through their vendors. Fortunately, the article sets forth five recommendations for evaluating vendors – essential reading for any IT pro whose company connects with outside organizations (read: every IT pro).
— John Matelski (@jmatelski) June 5, 2015
While machine-learning and big data analytics can help IT monitor for the exfiltration of corporate data, simple steps like implementing two-factor authentication can be just as important, according to Asheville CIO Jonathan Feldman. Two-factor authentication is especially powerful in preventing attacks originating from compromised credentials. Support for security controls such as two-factor authentication should be a primary consideration when deciding which cloud services to consider high-risk and potentially to block in your organization.
Money quote: "Complexity is the enemy of security." https://t.co/HAIHyvO4qr
— Jonathan Feldman (@_jfeldman) June 4, 2015
The moral of the story is that enterprises today can only rely on a layered security strategy. A holistic approach to security truly requires a team effort, and it’s not surprising that the board of directors now holds the CEO accountable for information security. As Intel CIO Kim Stevenson shared, business unit users are also responsible for ensuring the security of corporate data. While CEOs are finally being asked to prioritize security, this newfound attention from the top also raises a challenge for CIOs. More than ever, soft skills like communication, business acumen, and leadership are necessary to translate security goals into action from business users.
— Kim Stevenson (@Kimsstevenson) June 1, 2015