OPM Director Resigns After Breaches, but the Real Work Remains
Unfortunately, OPM shares in the problem of underfunding security, and it shares in the problem of not knowing how to spend what money it does devote to controlling the problem. Much of the blame for the success of breaches in private companies lies not with the IT managers who run the data centers, but with the executives who see security as a cost to the bottom line that can be cut. "The CEO of Home Depot told his security professionals, 'we sell hammers' when he was asked for money to improve security," said Eric Chiu, president and co-founder of HyTrust, a cloud security company. Home Depot was breached shortly after the CEO refused requests to make security improvements, and the company is still battling hundreds of lawsuits that resulted. Chiu said that there are really two problems caused by managers ignoring security. One is caused by failing to give it enough priority, and the other is caused by not protecting the things that need to be protected. "Fundamentally we have to assume that data is the target these attackers are going after," Chiu noted. "You have to protect yourself from inside attacks." The fact that most major breaches are from attacks from the inside requires a significant rethinking from the ways that organizations have approached security in the past. As former U.S. cyber-security director Richard Clarke told me in April, you have to assume that the bad guys are already inside your network, and you have to protect the data that they're after.But what's really unfortunate is that far too many managers resist even simple steps to protect data because they're afraid the costs will be too high. This and simple inertia are major contributors to data breaches. When the Anthem breach happened, the data that was lost was unprotected not because the managers didn't know that, but because they were not required to encrypt it. And yet it is that same Anthem customer data, when combined with the extremely sensitive personnel data held by OPM, that will provide the Chinese hackers who carried out both breaches with what may be the most valuable data ever taken in a series of breaches. This massive theft of data, and the injury to millions of people that will happen as a result, could have been prevented or at least minimized with a simple combination of management and leadership. But Congress and the administration failed to provide either, and as a result you will pay the price one way or another. But you can avoid making the problem even worse by taking the steps to protect the data in your own company, even if it's not required that you do so.
This means it's crucial that companies protect that data through more than just perimeter defenses. While it's important to protect against unauthorized access, it's also important to protect the data once someone gains access. For this reason, critical data should be stored separately, it should be encrypted, and access should be tightly controlled.