The process of cyber security is an everyday occurrence in every entity, from government to small and large enterprises. A handful of events took place in 2015, each shedding a lesson or two going forward. Counseling clients on requirements always involves sharing best practices, despite them not being a guarantee. But always the focus is on the standards that have been established and federal and state requirements for securing data, transferring data, sharing data, processing financial information of transactions, including medical records.
The occurrence of cyber security touched the unthinkable entities. For instance, a group identified as Carbank was able to get the credentials for gaining access to international banks. The amount stolen from ATMs approximates one billion affecting about 100 banks. U.S. taxpayers were affected when the IRS was breached where over 100,000 records were illegally accessed to an amount approximating tens of millions of dollars. A blackmail scheme affected the accounts at a dating site called Ashley Madison where millions of customer information was taken. Even the Central Intelligence Agency Director’s email, displaying sensitive files were hacked into his AOL account and posted in a web-based information platform. Moreover, Blue Cross Blue Shield and Anthem were also compromised, affecting millions of insurance policy holders.
While these are the just some of the occurrences the lessons reveal useful anecdotes for prescription, though there is no guarantee of absolute prevention of attempts and their relative success. Noticeably and in addition to the above list is the event experienced at the U.S. Office of Personnel Management compromising thousands of federal employees. Why this is unfair, we know that hind sight is 20-20 vision. With that, we can say that we learned that there ‘was not enough of this’ and ‘there was not enough of that’.
Specifically, information that was needed regarding security risks were not properly conveyed to different levels of employees up and down the management chain of command. Practices and methods were not updated and tested as they should which would have resulted in new standard practices. Security authorized personnel were not integrated into the day-to-day practical administration of the entities. This resulted in personnel not being up to date on vulnerabilities and the entities ended up not making the changes needed in anticipation of a cyber event. This eventually compromised any risk management endeavor within the particular entity. When vulnerabilities were known, necessary entity process to resolve the risk was not taken. The most glaring lesson among them all was the lack of security governance and management. Just like an entity has an individual over-seeing personnel paperwork, records, policies, and administration, cyber concerns as well merits the same dedicated assignment within an entity. This will necessarily entail reprioritizing how cyber security plays out within an entity which will involve routine monitoring, assessment, implementation of updates, methods and policies. The cyber events of 2015 have been a lesson for all.