In a twelve-month period, I received notices from two federal agencies and a major healthcare provider stating that my lawfully collected but private data files had been compromised in three independent cyber-breaches. Specifically, the agencies and the company are the Veteran’s Administration, the Federal Bureau of Investigation, and Anthem Blue Cross/Blue Shield. The FBI’s breach certainly is the most serious of these in that it could lead to the loss of lives. However, I feel that the theft of my medical records is equally troubling. Allow me to point out that these data breaches did not involve cutting edge infrastructures. In the above cases, data-at-rest or stored data were compromised. The attackers were international hackers acting under the auspices and protection of nation states. In response to these security breaches, Congress recently enacted new legislation:
Safe and Secure Federal Websites Act of 2017
This bill prohibits a federal agency from deploying or making available to the public a new federal personally identifiable information website until the Chief Information Officer of the agency submits a certification to Congress that the website is fully functional and secure. “New Federal PII website” is defined as a website that: (1) is operated by (or under contract with) an agency; (2) elicits, collects, stores, or maintains personally identifiable information (i.e., information that can be used to identify an individual, such as a social security number, a date and place of birth, a mother’s maiden name, biometric records, or other information linked to an individual); and (3) is first made accessible to the public and collects or stores personally identifiable information on or after October 1, 2012. To what degree these requirements will improve information security remains to be seen. My initial impression is that H. R. 404 merely identifies who will be held responsible for the next data breach. However, linking responsibility to a department head is not without its merits.
The future is fast approaching and there are a few clear trends that may aid us in developing sound security strategies:
- Mobile and connected devices continue to increase at a rapid rate, and it follows that the communications between these devices and systems will increase as well. A recent study places the number of smartphones at more than 1.4 billion worldwide, with that number expected to increase to more than 1.8 billion by 2020. The same study estimates that there are currently 6.4 billion “Internet of Things” connected devices, and by 2020, it is expected that there will be 20 billion such devices. While this mass adoption of technology presents tremendous marketing opportunities for companies, the integration of new (and perhaps inadequately tested) technology makes these devices, applications, and back-end systems prime targets for cybercriminals.
- Both governments and corporations are recognizing and adapting to changing consumer preferences, such as, transacting business via mobile devices and entering personal financial and medical information into mobile browsers, all in the belief that these applications pose no personal threat. Despite the naiveite of the end-users, corporations and agencies who engage in these business practices must respond effectively and quickly to the changing environment to protect both their brands and the privacy of their customers’ data.
- “Big Data” is struggling with balancing innovation and convenience with the regulations and laws that require them to secure confidential data against cyberattacks. Mobile devices exponentially increase the amount of PII, which adds to the security challenges as sensitive data moves through the data lifecycle. The problem is complex in that most major corporations or agencies must seek solutions that apply to legacy applications and are compatible with “The Cloud”, mobile technologies, and the Internet of Things. It may be said that the traditional network perimeter of the firewall has moved into the customers’ pockets. As always, education of the end-user is of critical importance. This is true of both public-facing and internal web sites.
Cybercriminals and nation states will continue to target PII with the intent to steal, sell, or otherwise use stolen identities. Considering the inter-connected nature of many applications and devices – such as connected home, car, or even medical devices – a security breach may cause physical harm to a person, not simply monetary damage.
In 2017, a stated goal of most corporations and government agencies is to protect proprietary information and end-user data end-to-end, that is, from point of origin, through transit, and into storage, or from the beginning to the end of its lifecycle. At the same time, these same institutions will be enabling new technologies and attempting to keep legacy applications viable. Most corporations and government agencies are focused on data breach protection with varying degrees of success. Some enlightened corporations have accepted the new paradigm that cyber-breaches will come to everyone in time, even those who are well prepared. This course of action leads to an increased focus on timely incident recognition and effective response. Early warning applications aid in this endeavor.
All early enablers of new technologies should act with due diligence and integrate these applications only after an extensive evaluation period. Now is the time to establish a planning team to research and determine which technologies may impact your industry and start preparing for how security controls will be integrated into this future milieu.
All projections indicate that the amounts of data (stored and in transit) will continue to increase, and it will become even more critical for organizations to protect these valuable assets from cybercriminals and ensure that end-user privacy is protected. The public’s acceptance of these preventable data breaches is wearing very thin. Privacy and data protection must not be compromised in the name of innovation. It can be done. Adopt a security mindset and recruit or hire experienced leadership who understand how to accomplish INFOSEC objectives while enabling the business units to achieve their goals.