What The OPM Hack Means for Data Security and Privacy

Written By

Sean Goldstein

Last month, reports flooded in that the Office of Personnel Management (OPM), a federal agency that (amongst other things) manages the data of millions of government workers, had been hacked sometime in May of this year. It was one of the largest reported government data breaches in history, though by no means the first for the federal government or even the OPM. More disturbing is the fact that the breach—suspected to be the work of hackers based in China—may have affected all federal government agencies, potentially exposing sensitive data to U.S. adversaries. The numbers of affected individuals continues to grow – and is currently at a staggering 21.5 million people.

It is unquestionable that a government data breach of this magnitude would be alarming, especially when the federal government takes extensive measures to protect its networks. But how many in the private sector connected this breach to their company’s own cyber-insecurity and privacy weaknesses?

All industries are at risk, and the stakes are high. The 2015 “Cost of Data Breach Study: United States” by the Ponemon Institute noted that the average cost of a data breach is now $6.5 million, and the average cost per lost or stolen record is $217 in the United States. The rise in attacks, and the related costs, is attributed to the growing value of corporate information like trade secrets. While we all know that cyber-attacks are on the rise, have you considered your points of risk, what steps to take when a potential breach is identified, or the liabilities of being involved in a breach?

Corporations are beginning to vigilantly protect their digital databases, form cyber defense departments and, in some cases, create business resumption and intrusion response plans. Businesses of all shapes and sizes are also investigating and verifying that their partners, vendors, and trusted associates take data security and privacy seriously. But what happens when your computers are unknowingly hacked (as was the case with OPM), and data is taken even after strong safeguards are in place – where false identifications and computer resources are used to perpetuate a cybercrime? How can the risks be controlled? Who is responsible? And what is a “reasonable” standard of care?

It is helpful to think about three principles that should be considered in any security program initiative: confidentiality, integrity, and availability. A security framework must (1) cover protecting data and systems from unsanctioned users or exposure, (2) ensure data cannot be manipulated or changed in an undetected and unauthorized manner, and (3) have business continuity measures in place and preparations for denial of service attacks. Such a framework is a strong starting place to build and maintain your company’s security program.

At this point in time, cyber-attacks and data breaches must be managed like any other risk that a company faces. Developing a defensive posture, conducting security and compliance audits, and augmenting your security and technology staff are all investments in mitigating that risk – and Capsicum has continued to offer the highest quality of technologically advanced analysis and solutions in these areas.

Don’t wait for a serious, costly data breach at a top company in your industry to occur before your organization becomes serious about data security and privacy —after all, it could be your business that suffers a breach and sets the example for the rest. All companies must stay vigilant about their data security. Firms that lack the internal resources to remain on top of their data protection should consider a cybersecurity contractor a wise investment. Capsicum has assisted clients for over fifteen years in the areas of data security, cybersecurity, and digital forensics. Capsicum also offers expertise in incident response, but our experienced professionals are also highly trained in proactive cybersecurity measures, including penetration testing, vulnerability assessments, and other preventative measures to ensure that your business’s security is cutting edge and focused on protecting all of the valuable data on your network.