Failure, Weakness & Neglect: 3 Lessons for the Private Sector from the OPM Cybsersecurity Breach

Imagine for the moment that one of your key employees – in charge of customer accounts – has an affair with a staffer at the company. He’s married, but the affair is discovered at the company, his wife doesn’t find out, and the decision is made to discipline the employee but keep him on board. The company’s HR department investigates the matter and documents its files, per company policy. The case is closed and everyone moves on. 

OPM hack 1
“Inertia, a lack of internal expertise, and a decade of neglect at OPM led to breach.”

Now imagine a few months later the company is hacked and its network – HR files included – are exposed. Weeks later your guy gets an anonymous email threatening to expose the affair to his wife – sordid details included – unless he sabotages the company’s response to a $50 million RFP to the benefit of a competitor.

This type of blackmail (or the potential for it)  is but one of the many problems now facing the federal government and more than four million of its current and former employees following what’s been called the “biggest government hack ever,” a cybersecurity breach of the Office of Personnel Management (“OPM”), the federal government’s HR department. (Sources: “Federal Government Suffers Massive Hacking Attack,” Ken Dilanian and Ricardo Alonso-Zaldivar, June 4, 2015;  “Why the ‘biggest government hack ever’ got past the feds,” by Sean Gallagher, June 8, 2015.)

News of the OPM breach discovered in April broke just last month, but already important details have surfaced, which provide valuable lessons for the private sector. To follow are just three of those lessons, which can help companies find higher levels of security in an increasingly less secure world:

Lesson No. 1 – Keep pace with the threats. 

According to Gallagher’s article, the intrusion detection system used by the federal government known as Einstein, “…was originally based on [ ] technology first deployed over a decade ago…the traffic flow analysis and signature detection capabilities of Einstein [ ], appears to be incapable of catching the sort of tactics that have become the modern baseline for state-sponsored network espionage and criminal attacks.” (emphasis added).

Companies must have an ongoing information security program that constantly works to identify and defend against the latest threats that are specific to your company.

Lesson No. 2 – Know your readiness level, act accordingly.

“OPM’s security practices were labelled as a “material weakness” by the OPM Inspector General’s (IG) office as far back as 2007. A November 2014 report upgraded the IG’s evaluation to merely a “significant deficiency,” but that was before a hack of contractor KeyPoint Government Solutions was discovered in 2014.” 

If you know what cyber-threats and risks your company faces and you know what your capabilities are in the face of those threats, only then can you develop and implement a successful defensive posture.

Wired mag OPM breach
“The OPM had no IT security staff until 2013, and it showed. “

Lesson No. 3 – Invest in command level, on-site information security resources.

“Until 2013, [OPM] had no internal IT staff with ‘professional IT security experience and certifications.’ By November of 2014, seven such professionals had been hired and four more were in the pipeline. But only a fraction of the agency’s systems had been brought under the control of a central IT security organization.”

Cybersecurity is not “an IT function.” It must be a command level priority of leadership, that is pervasive within the organization. Companies need to recruit top level information security talent and give them the internal authority to collaborate towards a more secure environment.

In short, the OPM failures, weaknesses and neglect provide a compelling story for those willing to listen. Companies that understand the relevant threats, arm themselves with the right high-powered resources and commit to a cyber-secure mission will be the organizations that succeed and distinguish themselves in the marketplace.

One thought on “Failure, Weakness & Neglect: 3 Lessons for the Private Sector from the OPM Cybsersecurity Breach”

  1. In your example, the company should have either (1) terminate both employees, or (2) not electronically build the personnel file, build it with paper only. Clearly, that company’s leadership is so incompetent that they deserve to get hacked!

Leave a Reply

Your email address will not be published. Required fields are marked *