Cybersecurity Is Every Citizen’s Responsibility
October was National Cyber Security Awareness Month, which according to the U.S. Department of Homeland Security is designed to “engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.”
It would be interesting to find out what percentage of organizations or individuals are actually aware of that — or of the real need to enhance the protection of personal information.
What’s becoming clear is that cybersecurity is every citizen's responsibility. When we interact with a variety of government agencies at the federal, state and local level, it’s not unusual to share personal data such as name, address, Social Security number and credit card information.
But as recent events have shown, the government — just like the private sector — is vulnerable to significant data breaches.
Growing government agency cyberattacks
For example, in May 2015, the IRS reported criminals had used taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on some 114,000 tax accounts through its “Get Transcript” application. After subsequent investigation, the agency said it had identified more questionable attempts to obtain transcripts, bringing the total number of taxpayers affected to 334,000.
Data involved in the IRS breach included Social Security numbers, birth dates and street addresses, and attackers “gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer,” the IRS noted in a statement.
Another federal government agency that suffered an attack earlier this year was the Office of Personnel Management (OPM), which was the target of a data breach aimed at the personal records of as many as 21 million people. Reports about the attack said among the main contributing factors was the agency’s lack of visibility and control into its IT systems and security vulnerabilities.
In September 2015, the OPM and U.S Department of Defense announced that investigations showed that of the individuals whose sensitive information was affected by the breach, 5.6 million also had fingerprints stolen. “Federal experts believe that, as of now, the ability to misuse fingerprint data is limited,” the statement said. “However, this probability could change over time as technology evolves.”
And in July 2015, the U.S. Census Bureau revealed that it had experienced an attack to gain access to the Federal Audit Clearinghouse, which is housed on an externally facing IT system that contains non-confidential information such as name of the person submitting the information, organization addresses and phone numbers, site user names, etc.
The bureau said the breach did not include personally identifiable information provided by people responding to censuses and surveys, and that it appeared the database affected was compromised through a configuration setting that allowed the attacker to gain access to four files posted to the hacker’s site.
Security program safeguards
It’s clear from these and other incidents that data provided to government agencies can potentially be hacked, and individuals need to take this into consideration when providing such information to the government.
For their part, agencies at all levels of government need to strengthen cybersecurity. And while technology solutions are a big part of this, they’re not the only component of a security strategy.
As Forrester Research noted in its June 23, 2015, report, “Top 11 Trends S&R Pros Should Watch: 2015: “New technologies have emerged, but none are game changers today. [Security and risk] pros must continue to focus on their security program, including people and processes, to address evolving threats and externalities like changing data localization requirements.”
One important way the government can try to boost security efforts is by working in concert with the private sector, through initiatives such as sharing threat intelligence.
Especially following the recent incidents, government entities need to show the public that they are taking cybersecurity extremely seriously, so that citizens will feel somewhat confident that their personal information will be safe.
If you need an extension to your IT staff to help secure your agency, contact Insight at 1.800.862.8758. If you're still researching on your own, learn more about emerging security solutions online.