Fraser Thomas, VP International, Swivel Secure Inc.
It has been reported 20 million plus people have had their details stolen by hackers in what is the biggest cyber-attack ever on US federal records. Since this story first broke in June, the extent of the breach together with the number of people effected continues to grow, and has already lead to the resignation of the Office of Personnel Management (OPM) head Katherine Archuleta.
In case you missed the headlines, the devastating hack hit the OPM, which conducts more than 90 per cent of federal background investigations, compromising sensitive information on current and former civilian agency and military employees and applicants, going as far back as 1985.
The reaction from The White House in the immediate wake of the breach’s discovery? A direction to all government agencies to lock-down their IT systems, fast-track adoption of multi-factor authentication and reduce the number of ‘privileged users’ on its systems. ‘Passwords alone are insufficient access controls’, officials said. No kidding. Given what we all know about the fragilities of passwords, and the inherent risk of cyberattacks, why hasn’t this mandate always been in force?
You can guarantee that the physical security within government agencies has always been a top priority. Employees are thoroughly checked, armed with smart identification cards and required to pass through guarded check points, and continuously scrutinised by IP-CCTV. Employees could be forgiven for thinking that once they get into their offices, the business conducted would be subject to the same levels of security. But what if everyone uses the same password to access the VPN as they do their Facebook account?
Earlier this year, President Obama, in his State of the Union address, set out his plans for a nationwide data security standard for companies handling sensitive data. It’s more than surprising, therefore, to learn that government bodies are still using passwords to guard their digital gateways, that sensitive data remains unencrypted and that multi-factor authentication is absent where it is clearly needed.
In an age where cyberattacks pose a very real and serious threat, cybersecurity must be made a primary concern from the ground level up. This means making it an intrinsic part of an organisation’s holistic risk assessment processes, with the resulting policies strictly enforced at all levels. Mapping out the IT security risks in this way will enable organizations to assign access control parameters based on the data held beyond the gateway, keeping really sensitive information accessible only to those with the right permissions.
By putting adaptive, multi-factor authentication in place, guarding the gateways to sensitive data within a network is both achievable and manageable. It puts the physical user at the heart of the process and enables different parameters for employees, access requests and services to be established, ensuring exactly the right level of authentication is applied to any given scenario. If good comes from the OPM attack, let it be the re-prioritisation of strong authentication amongst decision makers. Only when these kinds of solutions are widely adopted will war on cybercrime start to look winnable.