The US Office of Personnel Management has confirmed reports of a massive data breach hitting its systems, with the personal information of over 4 million government employees compromised.
As one in a series of huge data breaches to hit this year, CBR asked security experts what can be learnt from this latest attack and how businesses and organisations can stamp out similar data breaches.
1. Greatest threat comes not from the physical world, but from the virtual
Chris McIntosh, CEO ViaSat UK said:
"This latest incident shows how cyber-attack is cementing itself as a form of unconventional warfare. Rather than guerrilla raids or sabotage, the greatest threat to governments and other organisations comes increasingly not from the physical world, but from the virtual. However, cyber-attack is unique in both its reach and its ease of use.
"Unlike other forms of warfare, unconventional or not, it requires relatively few resources and can be performed from anywhere, and almost by anyone. As a result, an attack of some sort will be almost inevitable. Mitigating the effects is therefore just as important as prevention.
"The best way for organisations to do this is to assume that their security has already been compromised. Security then becomes a matter of minimising, and where possible eliminating, damage caused by attacks. Encrypting sensitive data, so that even if stolen it is essentially useless to attackers, is one step that should by this point be compulsory.
"The ability to isolate potentially infected systems is another. However, organisations of any size should ensure they take an all-encompassing approach to security to prevent the risk of serious damage."
2. Cyber-attack is firmly entrenched as a 21st century battlefield
Piers Wilson, Product Manager at Huntsman Security said:
"While the exact identity of the US’s latest attacker may never be 100% confirmed, an attack on this scale by a well funded and skilled adversary (such as a foreign power) should not come as a surprise at this point. From ongoing attacks within Europe, to Stuxnet, to the US’s own alleged attacks against North Korea, cyber-attack is firmly entrenched as a 21st century battlefield.
"However, organisations shouldn’t think that such attacks are only focused on governments and their networks and systems. Like any attacker, a government will attack any target that can benefit it; from opposing nations, to their critical infrastructure, to businesses that it can sabotage or steal valuable information from. What this attack has again shown is that high value, sensitive data (such as employee/HR records) can be at risk as well as valuable intellectual property and other business information.
"Enterprises must be able to detect and triage increasingly sophisticated and well-funded attacks. Since there is no way of predicting where the next attack will come from, and what form it will take, being able to detect evidence of a breach and react in order to contain the threat in the shortest time possible will be critical. Whether an attack comes from a newly discovered virus, a previously unknown vulnerability, or the actions of an employee, the enterprise has to be prepared to spot potentially dangerous behaviour."
3. Accept these attacks will happen
Nick Wilding, Head of Cyber Resilience at AXELOS, said:
"This is another example of the new world all organizations now operate in. One where your most precious information and assets are being attacked and compromised on a regular basis.
"All organizations now need to accept that successful attacks will happen. They need to plan and test how they can become more resilient and be able to respond and recover quickly in the best interests of their customers, staff and citizens."
4. Perpetrator was likely a nation-state
Grayson Milbourne, Security Intelligence Director at Webroot, said:
"Although details are still coming in, we do know very sensitive data is involved and the attack may have gone on for a prolonged period of time. Until we can understand what level of data access was achieved, we won’t know the full impact. But, based on the characteristics of the attack, it’s likely the perpetrator was a nation-state.
"Clearly, the government’s approach to cybersecurity needs to be reformed, prioritized and accelerated. That the breach might have been carried out by the Chinese does not absolve the OPM of blame. The issue here is the government’s technological failings and what it should be doing to prevent future attacks."
5. Once a disaster strikes it’s too late – invest in DR
David Fisk, EMEA Sales Director at Quorum, said:
"Millions of US government officials have been hit by a data breach that could go on to potentially affect essential government departments. This again is proof that organisations need to have a Disaster Recovery (DR)/Business Continuity (BC) plan in place.
"Companies are aware of the risks involved, but seem reluctant to spend a little bit of time investing in a DR plan. Once a disaster strikes it’s too late so companies need to be prepared. What is needed is an effective backup and DR plan that can act as a form of insurance against this type of threat.
"Organisations are well aware of traditional backup and recovery solutions but Disaster Recovery as a Service (DRaaS) provides a unique way to recover complete servers, the most critical applications and/or data in the cloud. This means that when a disaster does strike, organisations can ensure business continuity. This year alone, we have witnessed many cyber attacks against multi billion dollar companies, and now the US government. Events like these will happen from time to time, but companies can be prepared.
"DR has come along way in the past few years and now with DRaaS it can help companies to recover in times of a crisis. Once hit by attack such as this it’s important to maintain business continuity. The US government and other companies who have fallen victim to expert hackers, need to ensure they can still manage its data affectively and regain control as quickly as possible. The best way to do this is to spent a little bit of time planning a strong DR strategy."
