VA Had Many Security Warnings Before Its 26.5 Million-Person Breach - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

12:45 AM

VA Had Many Security Warnings Before Its 26.5 Million-Person Breach

The organization didn't take the risk seriously enough and broke with security best practices.

In fiscal 2004, an inspector general report made 16 recommendations on ways the VA could improve the security of its IT operations, including centralizing IT security programs, implementing an effective patch management program, and addressing unauthorized access and misuse of sensitive information (see box). None of the recommendations has been addressed, Opfer testified.

In response to the breach, the VA is requiring all employees to complete cybersecurity-awareness and privacy-awareness courses by June 30. It's also conducting a review of what sensitive data employees need access to and putting them through background checks depending on their access levels.

Data Moves, So Protect It
There are many steps organizations can take to prevent data loss of the kind the VA suffered. Foremost is encryption, which VA policy requires but wasn't done in this case. Encryption can take place on PCs and memory sticks, within back-end databases, and even as data passes through a network. M-Systems offers encryption for data stored on its USB-pluggable storage devices and memory sticks. Ingrian Networks' i110 DataSecure Platform centrally manages encryption keys from a network appliance. Microsoft's Exchange Hosted Services include encryption for securing data sent in E-mail.

There's a risk with encryption: improperly managing the keys used to decrypt data. "If you don't manage encryption properly, it's a good way to lose your data forever," warns Burton Group analyst Trent Henry. Most encryption software offers an administrative interface that IT pros can use to safely store and retrieve keys.

Encryption is embraced by companies in financial services, health care, and other tightly regulated industries. But most companies still find excuses (it's overkill, or too expensive, or too hard to use) for not deploying it widely or not enforcing encryption policies. Yet it costs much less to encrypt data than to respond to a breach, Gartner analyst Avivah Litan testified last week. A reasonable up-front cost for the systems, services, processes, and procedures to encrypt 100,000 or more customer records is about $500,000, she said.

Encryption isn't the only way for companies to ensure that data doesn't disappear with a lost or stolen mobile device. Another is never to put data on the device in the first place. If employees must work remotely, Secure Sockets Layer VPN software can give them network access to sensitive data. Companies also can deploy software and network appliances that block data from being copied to external devices or E-mailed outside the network. Technology exists for real-time analysis of outbound data content. Workshare, one of dozens of vendors that offer this sort of software and appliances, last week launched a risk assessment appliance and PC-based software to prevent data leakage.

It doesn't seem like data security is getting better, but it has improved over the past several years, Burton's Henry contends. State disclosure laws make it embarrassing and expensive for companies that don't protect their data. "It's just that it's still easy to make mistakes, and those mistakes are broadcast loudly," he says. "Even though there's been a flurry of data-breach activity, this has brought about a conversation about this topic, which is the precursor to further improvement."

That's a conversation more government agencies must have. Within companies, the risk of having to issue a security breach notice has helped IT managers get a bigger budget, says Ohio State University law professor Peter Swire. "Now there needs to be a continued pressure to upgrade security in federal agencies," he says.

Might the legal environment change to turn up that pressure? A high-profile data breach that affects the nation's veterans could be just the thing to shake Congress out of its foot-dragging on data privacy and breach-notification legislation. Last week, the House Energy and Commerce Committee and the House Financial Services Committee each proposed data privacy and protection legislation to the speaker of the House, who will decide which version the House moves forward. It's not clear what the timeframe is for a full House vote, however, and this proposed legislation, as well as bills in the Senate, has been around for months. Fewer than one in five of 1,150 U.S. adults surveyed by the Cyber Security Industry Alliance say they think existing laws can protect them from fraud, identity theft, and other Internet crimes. More than two-thirds want Congress to pass stronger legislation.

Agencies and businesses shouldn't need new laws or more embarrassing breaches to realize what's at stake. Like the VA analyst, thousands of employees are carting their work home with them every night. IT teams must address that risk--and their organizations must give them the support to create the systems and policies to reduce it.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 2
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll