Enterprises Must Encrypt Data, Segment Networks to Thwart Hackers
What's equally interesting was the fact that none of the experts I spoke with at the event were willing to point their fingers at OPM itself. The problem with revising a records management system as huge as the personnel records at OPM is daunting and expensive in the extreme. Agencies are caught in a continuous battle to get the budgets necessary to do their jobs. Complicating matters, the hardware and software in use at many agencies is antiquated and updating it using the existing federal procurement rules can be nearly impossible. Add to this mix the tendency in Congress to decide to simply cut the federal budget by some random percentage and you've got a situation in which adequate security is at best a wish experienced in a fevered nightmare. Instead, federal IT staffers are forced to make do with long-outdated equipment that's frequently incompatible with anything else in the data center. When federal IT managers find that some action, such as greater security, is mandated, they often have to choose which other functions they're going to shut down because they don't have the funding to do everything they're required to do.What this means, if you're familiar with federal procurement, is that Congress appropriated no money currently for security upgrades and none for the task of forensic analysis so that managers can figure out how the attack happened. Fortunately, private industry doesn't have to depend on Congress to behave responsibly. But they do have to depend on boards and top managers to believe that bolstering data security should be a priority. Some companies are, in fact, doing this. For this reason, for every Anthem Blue Cross that doesn't segment their network and encrypt sensitive data because they're not legally required to do it, you have a company such as Carefirst Blue Cross that does it anyway. This is why when Carefirst Blue Cross was hacked, little was lost, unlike Anthem, where everything was taken. Both companies still had to tell their customers about the hack, but only Carefirst was able to tell its customers that there was little chance of identity theft. Now, when those security experts talk about how security can be done right, they have a good example and a bad example. One wonders how the company with cyber-insurance might feel if they were routinely called out by their colleagues as the bad example.
The situation with the OPM breach is a good example. The Department of Homeland Security has announced that it's going to request from Congress the money necessary to find the reason for the recent attack and then fix it.