Personally Identifiable Information (PII) is worth 10 times more than credit card information on the black market, making it imperative to have strong policies and safeguards that protect personal data in place. The latest account from the Identity Theft Resource Center (ITRC), shows that a total of 591 data breaches have taken place this year, exposing more than 175 million records. Among the biggest victims targeted include local, state and national government entities due to the troves of personal data these organizations store and share on a daily basis and their often out dated and therefore insecure IT infrastructure.
Since 2010, governmental organizations experienced more than 300 breaches exposing millions of sensitive records with victims including the United States Postal Service, US Department of State and the National Weather Service. The most recent and by far most egregious breach is that of the Office of Personnel Management (OPM), in which 21 million social security numbers and addresses belonging to former and current government employees, as well as 5.6 million fingerprints, were stolen. What’s most painful is the fact that simple cybersecurity measures could have prevented the majority of these breaches.
In the private sector, data security has become a board level issue as organizational reputation and shareholder value are at stake. As the resignation of the OPM’s director indicates, governmental organizations are in the same position. As a result, these organizations can – and must – defend against cyber theft by developing and incorporating strong cybersecurity protocols and safeguards when storing and transferring data. Below are four ways that government agencies can protect their PII to avoid making headlines as the next victim of a breach.
1. Equip systems with strong user authentication passwords
It doesn’t take a sophisticated hacker to break into a government data vault if passwords are easy to crack. Because we all have a multitude of passwords to keep track of, people tend to use the same easy-to-remember passwords for a variety of purposes.
According to a 2015 Trustwave research report of 574 data breaches that took place across 15 countries, 28 percent of those breaches were the result of weak passwords. Each year, several reports are released revealing the most common passwords people use and, despite common knowledge, usual suspects like “1234” or “qwerty” are still often selected. As the first line of defense, a strong password that uses both upper and lowercase letters, symbols and numbers that are unique and not in use for other solutions or systems, can decrease the likelihood of a breach.
2. Take ownership of encryption keys
When the PII of millions of employees sits unencrypted on a poorly protected server, it’s the data equivalent of putting a pie on the windowsill for data-hungry hackers. This was the scenario that led to the compromise of millions of files and records at the OPM. Whether information is being stored on and accessed via smartphones, laptops or wearables, organizations should be aware of the risks associated when using the public cloud. Managing and maintaining encryption keys is a good start.
As you would never share your house key with a complete stranger, the same concept should be applied with encryption keys. However as long as encryption keys are maintained by public cloud service providers and their architects, personal data and information that is stored in a public cloud will be at risk. So rather than focusing on the strength of an encryption algorithm, a better question to ask is where are encryption keys held and managed. An alternative is a private cloud storage solution that guarantees ownership of encryption keys for maximum protection and control over stored data. Ultimately, reactionary procedures when a breach hits are important, however proactive preparations through ensuring ownership of encryption keys will decrease the likelihood of a brute force cyber attack.
3. Ensure proper use-policies for dated applications
Dead apps, or apps that once thrived in large-scale app stores but are no longer supported, present an easy way for hackers to exploit and implant malware. Organizations can help protect their personal information by encouraging staff to regularly update apps when newer versions are released or to delete them altogether from their devices when they’re no longer being supported by their developers. IT departments can also establish and enforce a mobile app whitelist to manage which apps are safe for employees to download and use.
4. Provide employee training on cybersecurity best practices
Steven Covey, author of “The Seven Habits of Highly Effective People,” famously said, “always treat employees exactly as you want them to treat your best customers.” Employee training sends the message to staff that management values them and are willing to provide employees with all the tools they need to do a good job. Cybersecurity training instills in employees the value of protecting customer and employee information and, of course, helps to decrease the likelihood of careless errors concerning corporate information.
In addition to periodic training sessions, an ongoing support system from IT that is reiterated by management ensures that employees have the security resources and education they need to make smart decisions when using corporate data.
As breaches continue to make daily headlines, it’s more imperative than ever to invest in solutions and policies that ensure PII is safely stored, accessed and shared. The negative repercussions from the OPM breach, among many others, prove that all government organizations should develop, monitor and continually enhance internal systems and policies to safeguard personal information. In order to avoid subsequent headaches for IT managers and maintain a positive reputation, employee training, encryption ownership and strong authentication make a significant difference in ensuring PII is safely stored and out of the hands of hackers and the lucrative black market.