The federal government takes cybersecurity seriously. We know that. They have spent millions on programs like EINSTEIN to protect the very data the Chinese (reportedly) hacked, leading to yesterday’s announcement about the four million former and current government employees affected by the breach at the Office of Personnel Management.
This most recent incident made the front page of the New York Times, it even led the very top of the front page in our local Portland Press Herald, but it is hardly the first similar breach of federal databases. Last year the Russians got some of President Obama’s emails. Then the personnel office lost data on federal employees who had applied for different levels of security clearances.
This despite a series of declarations that the Department of Homeland Security, the FBI, the NSA and virtually every government agency is fighting hard against cyberattacks.
In fact, news of this new breach comes just a day after the most recent Snowden revelations that the NSA was engaging in warrantless surveillance of Americans’ international Internet traffic in its bid to identify and prevent hacking from overseas.
You’ll now most likely hear congressional leaders here in the U.S. calling for a new cybersecurity bill and more funding and new leadership and new technology.
But it’s clear to me that higher and thicker walls, while necessary, are an insufficient response. You can’t build a bunker deep enough or a fence with enough barbed wire at the top to stop dedicated hackers from getting in, sifting through our nation’s valuables, and taking what they want. Nor can global multi-national firms expect to simply invest in better security and call themselves safe from prying hackers.
If we’re going to take hacking seriously, what needs to happen are far more sophisticated data-handling techniques behind the walls we erect: access control management, tracking and auditing; anonymization; encryption; separation of certain data from other data; data destruction policies that are real and enforced. The list goes on.
This is where privacy professionals can step into the breach (sorry for the pun), working hand in hand with IT professionals to inventory the data they have, making sure it’s all useful and necessary and then making sure that data is virtually useless to the outside world should the hackers get in.
The IT department certainly can’t do it alone. While they might be the ones to institute the controls, or work the technology, it takes a trained professional to think about a company’s data handling processes holistically. Privacy pros create policies and plans that everyone in the organization can be involved with and work towards.
Someone has to strategically direct the organization’s data activities, and that person needs to think about how to allocate resources, how to identify and mitigate risk and how to train and support all of the people in the organization who handle data to ask themselves big questions:
Do I need to collect this data? Does this data offer the organization value or liability? Is this data still useful to the organization? Should that person be able to access that data? For how long? Can this data be accessed in a different way that reduces risk? What technology can we apply that would reduce the risk that owning this data creates?
That is, of course, just the tip of the iceberg.
We’ve gotten well beyond “breach prevention” at this point. There aren’t any magic software programs that you can buy, install and call yourself “safe.” Certainly, they can make you safer. And there is every reason to apply the appropriate amount of security to your network and data storage.
But now is the time to move toward breach preparation and understanding, data governance and smart data privacy practices like never before.
Target, Home Depot, Sony, JP Morgan Chase, the Postal Service, the Office of Personnel Management and the White House can’t all have been simply lax in their security practices. That just doesn’t make sense. Maybe there was more that all of them could have done to prevent their breaches, but maybe they were doing the most that they could at that moment.
There is certainly, however, more that we could do collectively to minimize the impact breaches have on consumers, employees and society as a whole when they do occur. Privacy professionals, this is the time to step forward and bring your training and experience to bear and show your organizations the value you bring to the table.
Don’t wait for the next big breach. It might be yours.
If you want to comment on this post, you need to login.