In June 2015, the Office of Personnel Management (OPM) revealed that millions of personnel records had been hacked—a figure it first put at 4 million files but later revised to 21 million or more. Worse, the files included ample amounts of personal and otherwise private data whose exposure can be expected to have broad-ranging security consequences. What can we learn from this incident?
OPM Intrusion Due to Lack of Policies and Guidance
The OPM privacy breach may well have resulted from poor adherence to policies and guidance. In a November 2013 audit, the inspector general (IG) said about the OPM that “the material weakness related to information security governance has been upgraded to a significant deficiency.” But an IG report to Congress in March 2015 revealed that little had changed.
The reports confirm an old saying about data protection: Data protection isn’t necessarily about physical protection of data (intrusion detection systems, antivirus software, firewalls or the like) but rather about policy, guidance, procedures and—most important—leadership. Chalking the breach up to the Chinese or to hacktivists would be far too easy, a convenient way of forgetting that strict adherence to policy and procedure might well have prevented the entire affair.
OPM Computer Breach Didn't Have to Happen
We need new and ingenious ways of storing large amounts of data. Why should 21 million personnel records be stored in the same place? Why not distribute the data to servers in different locations, each server having its own security and protocols? The files in question were not cross-referenced, nor were they analyzed in any manner. Why store high-security files—these ones referenced only once every five years—all together?
The same concept helped insurers with Lloyd’s of London insure ships traveling to Asia centuries ago. Because each member in a group of insurers insured only a fraction of a ship’s cargo, no insurer would suffer a catastrophic loss if the ship were to sink. In much the same way, although the OPM breach was catastrophic, it didn’t have to be—only imagine the difference had the hackers accessed merely a fraction of the data instead of all of it.
Maintain Physical Security
Physical security cannot be ignored. Consider how the military uses a form of human two-factor authentication to secure nuclear weapons when they are being handled, diminishing the risk of an insider threat. For example, the military establishes “no lone zones,” zones in which individuals who are found by themselves may be apprehended using deadly force.
We don’t need to use deadly force to protect data, but we should learn from the concept of two-person control, and we should use it to prevent unauthorized access to large portions of data. In particular, access to 100 percent of stored data should be contingent on physical presence in an appropriately manned data center. Such a restriction might sound like overkill, but it’s just another form of insurance against a data breach such as OPM suffered.
Take Comprehensive Cyber Security Action
On the heels of the OPM data breach came yet another breach, this one of the Ashley Madison database. Of necessity, Ashley Madison’s business model was predicated on privacy and secrecy—yet its 32 million–person database was hacked. Perhaps internal procedures weren’t followed; perhaps data was centrally located. Data breaches such as these are wake-up calls to us all. Leaders everywhere must take action to secure sensitive data and prevent breaches.