HERE WE GO again: The Chinese (maybe the government, maybe a rogue organization) allegedly have hacked the federal government’s Office of Personnel Management, stealing information on 4 million current and former government employees. Some of them have high-level security clearance. It’s scary to think what might be done with the lost information: Could the thieves create false credentials that lead to the loss of even more sensitive information?
Yet we know the federal government has spent millions on programs like EINSTEIN to protect sensitive data, and news of this new breach follows the latest Edward Snowden revelations that the NSA engaged in warrantless surveillance of Americans’ international Internet traffic in a bid to identify and prevent hacking from overseas.
For all of that, this is hardly the first breach of federal databases. Last year the Russians got some of President Obama’s emails. The IRS was hacked earlierthis year. If those breaches didn’t inspire redoubled efforts by the federal cyber community, this new loss of data will. You’ll now most likely hear congressional leaders calling for a new cybersecurity bill and more funding and new leadership and new technology.
I’m not saying such things wouldn’t help. But higher and thicker digital walls, while necessary, are an insufficient response. To seriously respond to hacking, we need far more sophisticated data-handling techniques behind the walls we erect: access control management, tracking and auditing; anonymization; encryption; separation of certain data from other data; and data destruction policies that are real and enforced. These tactics go beyond security and land squarely in the realm of privacy.
Professionals trained in the practice and art—yes it’s often an art—of privacy must be working hand in hand with IT professionals to inventory data, making sure that data is useful and necessary. What’s left should be made virtually useless to the outside world should the hackers get in.
The IT department certainly can’t do it alone. While it might implement the controls, or work the technology and push the buttons, it takes a trained professional to think about a company’s data handling processes holistically and in light of organizational goals. There should be policies and plans that everyone in the organization can be involved with and work toward, overseen by individuals with training for the job.
Who will be tasked with strategically directing the organization’s data activities? Who will think about how to allocate resources, how to identify and mitigate risk, and how to train and support all of the people in the organization that handle data?
On an ongoing basis, people need to make good decisions about whether they need to collect this data. Whether the data offers the organization value or liability. Whether the data remains useful to the organization. Whether a given person should be able to access that data and for how long. Whether the data can be accessed in a different way that reduces risk. Whether technology could be applied to reduce the risk owning this data creates.
That is, of course, just the beginning.
Let’s stop talking about “breach prevention.” No software is going to make an organization “safe.” Certainly, technological solutions can make you safer and you should apply the appropriate amount of security to your network and data storage. Not doing so is negligent. But let’s move the public discourse toward breach preparation and understanding, data governance and smart data privacy practices. We need these discussions like never before.
It’s not like Target, Home Depot, Sony, JP Morgan Chase, the Postal Service, the Office of Personnel Management and the White House simply had terrible security practices. Some of their security surely was better than others. Maybe they could have done more. Maybe an outside observer would have found their practices perfectly acceptable.
What I know for sure is there is a lot more that could be done to minimize the impact breaches have on consumers, employees and society when they do occur. To those of you who rely on data to fuel your organizations: Now is the time to step forward, accept the challenge of data privacy head on and get the right people tackling the job.
It’s easy to say, “Don’t be the next organization on the cover of the New York Times.” But it’s more appropriate to say, “When you find your organization on the cover of the New York Times, make sure the story is about how you’ve done everything possible to make the breach a non-event.”