The Office of Personnel Management. It has a predictably boring name for a government office. Essentially, the Office of Personnel Management is human resources for the government’s civil service employees. When it comes to hackers and government offices, this might seem like low hanging fruit. In reality, it’s just the opposite.
So, why would cyber criminals, like they recently did, make this U.S. government office one of their targets, not once – but twice? Because the information collected and stored by the Office of Personnel Management is supremely valuable.
Although the director of the office says she’s not comfortable with the number, it is estimated that 20+ million people may have had their personal information compromised in a security breach(es?) in April. There are some estimates that put that number much higher.
The second breach, one discovered in June while the first breach was being investigated, gave hackers access to the information from background checks done on current, former and prospective employees who applied for jobs that require security clearance. There is some fear that this information will help whoever has it to be able to identify the government officials with access to some of the U.S.’s most important secrets. It could also be used to recruit spies against the U.S.
While there are several lessons that can be learned from the Office of Personnel Management hack, here are two we think are the most important.
Know What Information You Have and How it Could Be Used
This requires a critical eye on the data that your business is storing. You have to start by knowing what you have and where it’s stored.
As an example, let’s consider a telecom provider. Typically, the information these companies have on customers falls into three categories: personal information; payment information, often credit cards; phone numbers; and customer location.
What’s the most important piece of information to protect out of that group? Possibly surprising, it’s the phone number.
Get hold of any of the other three, and that’s all you have. A location. Payment information. Personal details. The phone number, though, can give you so much more. It can give you a name. It can give you a street address. It can give you more information, therefore, it’s the most important piece. That means it should be your highest priority to protect.
And that leads us to the second lesson.
Build the Biggest Wall Around Your Most Important Information
Two things stand out when reading about the OPM attack. First, the hackers gained access to the network through legitimate means. They gained the login credentials of an employee with a contractor who handles background checks for the OPM.
Second, the OPM has been relying on aging technology. While the office’s director has been working to modernize the infrastructure, some of the technology systems are 30 years old.
Technology from the 1980s is going to have a hard time keeping anything protected. It’s no place to store the kind of information that the OPM has. Information that valuable needs to be behind a high wall that’s hard to scale. The same goes for the most important information at any company.
Most companies, though, don’t have the money it would take to build an equally high wall around the entire network. That’s where the hard choices come in.
Certain groups’ laptops and computers might not be as important as others. If you are an engineering company with an R&D division that has a lot of intellectual property, you’re probably going to want to care a lot more about those desktops and laptops than you would others.
In human resources, you may only have an SSL connection from your Web server back to your database that handles employee addresses. You may have an SSL connection plus IPS plus another firewall between you’re the database housing employee Social Security numbers.
Every network is different. There’s no right or wrong way to protect your data. There’s only the way that’s right for you. But before you build the protection, you need to know what data is going inside of it.