Can universal security controls prevent the next big breach?

Leading Edge Alliance's Sese Bennett

Sese Bennett of LBMC Security and Risk Services argues that OPM should have been better prepared after an earlier breach.

The latest cyber breach at the Office of Personnel Management highlights a possible systemic flaw in the agency’s data security.

OPM said it became aware of the theft of personal information belonging to more than 4 million federal employees in April 2015 during an "aggressive effort" to update its cybersecurity systems. Naturally, this breach was splashed across the headlines.

Sound familiar? It should. OPM was the victim of a similar attack in July 2014.

In both cases, the same type of data was compromised, indicating that OPM should have made it a priority to identify how the initial breach occurred and then institute much stronger controls to prevent it from happening again. In situations where an environment experiences multiple breaches in a relatively short period of time, an analysis should be conducted to determine if the threat is advanced and persistent. If this was the case with OPM, one has to wonder if the networks had been compromised for longer than previously reported.

When we consider the recent breaches of Target, Sony Pictures, Anthem and OPM, what is common to all of these is that there has not been a universal standard for data security. Each organization has followed its own established standards, creating an inconsistent patchwork of security.

The old saying, never let a good crisis go to waste, certainly applies here. This OPM breach presents an excellent opportunity for the federal government to step in and spearhead the effort to establish universal standards for data security that government (federal, state and local) and the private sector can adopt and adhere to.

In 2012 the federal government launched its own data security standardization process with the creation of the Federal Risk and Authorization Management Program. This government-wide initiative provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. FedRAMP requires all cloud service providers that work with the federal government as of June 2014 meet a standardized set of rigorous security requirements.

FedRAMP is a step in the right direction, but more progress is needed to keep pace with the bad guys. Why not take it a step further and call for the creation of universal data security standards for the private sector as well? Doing so would provide much-needed assurance that the personal information of our nation’s citizens is protected.

Recent data thefts have included a range of personal information, from birthdates and Social Security numbers to security clearances, as the OPM breach clearly illustrated.

This is exactly the type of high-profile data that foreign states and criminal organizations target. Why? Because if they can “own the person,” they can also own whatever that person can access -- whether it’s financials, health care records or, in this case, federal government information.

Protecting data should be a universal mandate, and it will certainly require coordination and consistent implementation. Private industry shouldn’t wait on the government to take action. The OPM breach and others like it demonstrate the need for comprehensive and consistent information security standards across the board. Just as the government protects citizens from enemies both foreign and domestic, it must now band together with the private sector to combat cyber threats as well.

About the Author

Sese Bennett is a senior manager for LBMC Security and Risk Services.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.