The OPM Breach Two Years Later: Four Best Practices for Cyber Operational Excellence
Socrates is alleged to have said, “the secret of change is to focus all of your energy, not on fighting the old, but on building the new.”1 The saying certainly applies to cybersecurity, where change is the only constant. You don’t have to be Socrates to see that two years after the Office of Public Management cyberattack, too many organizations are still focusing on the old and not building the new.
The good news here is that it’s not too late. There are some best practices that all organizations can employ to strive for operational excellence, to better understand and reduce their exposure and risk, and to implement a resilient, long-term cybersecurity strategy.
1. Manage risk proactively
When the OPM breach was discovered in 2015, they also found 15,000 outdated machines and 2,000 pieces of malware unrelated to the data breach. Fewer than 10 infections from the breach’s PlugX malware compromised millions of records. The agency was thrown into reacting to, not anticipating a major incident.
Knowing your network is the foundation of good cybersecurity
Knowing your network is the foundation of good cybersecurity and your best defense against increasingly sophisticated cyberattacks. Having a resilient and comprehensive cybersecurity posture must start with a strong understanding of your organization’s network, nodes, assets, tools and vulnerabilities, accompanied by a robust patch management program to address known but unpatched vulnerabilities.
The insider threat also cannot be ignored. Insiders with legitimate access privileges often can fly under the security radar so that breaches are discovered only long after the fact. There are blind spots in every organization’s network that leave them vulnerable, including employee data which carries immense value to attackers. That’s why it’s important to treat all data—especially on government networks—as carefully as you would classified information, and implement effective access, password and credential management to defend against elevated privileges, unauthorized access and insider threats. You can never truly know where the next threat will come from.
2. Embrace modernization
Organizations cannot make large, impactful changes if they are averse to change in the first place, and this is true in IT security as in other areas of operation.
Security upgrades must go hand in hand with IT modernization
Security upgrades must go hand in hand with IT modernization. As organizations deploy up-to-date IT, they have the perfect opportunity to reduce their attack surface and address rapid changes in the threat landscape. They can enhance security through improved visibility into the network, continuous and comprehensive monitoring, and the patching of vulnerabilities. Legacy systems that are no longer supported with regular patches can be protected by isolating them from the internet-connected network until they can be replaced.
However, at some point, government agencies will run out of resources to maintain these outdated systems, and will need to prioritize change. One way to hold these organizations accountable to high security standards is to implement a baseline approach that outlines which models of operating systems can still be supported across the federal government. And then follow through with cyber funding to improve networks.
Legislation, such as the Modernizing Government Technology (MGT) bill now pending in the Senate, would establish a working capital fund to let agencies pay for technology updates through savings realized from modernization. Replacing the traditional use-it or lose-it approach of annual appropriations would allow agencies to make long-term plans for replacing legacy IT, taking advantage of advances in technology while simultaneously strengthening cybersecurity.
3. Leverage cybersecurity frameworks
Too often, organizations reinvent the wheel when it comes to cybersecurity. This is particularly the case from a governance or process perspective. Yet there is a large volume of cybersecurity research available that has identified many cybersecurity best practices.
The government has produced several cybersecurity frameworks to help agencies and other organizations secure IT systems and sensitive data. Many of these are voluntary for the private sector, but under FISMA (Federal Information Security Modernization Act) and other cybersecurity initiatives, federal agencies are being required to use this guidance. The NIST Cybersecurity Framework is now recommended by the recent Presidential Executive Order on Cybersecurity as a starting point on long-term foundational cybersecurity insights.
4. Invest in a strong workforce
Finally, regardless of the threats facing all organizations, it takes well-trained, well-informed people with creative mindsets to stop the threats. In government, as in other sectors such as oil, gas and utilities, many of the best-trained workers are nearing retirement. This brain drain will make combatting threats even more difficult.
By September 2017, 31 percent of the federal workforce will be eligible to retire
A GAO study found that by September 2017, nearly 600,000 federal workers—31 percent of the workforce—will be eligible to retire. Government agencies will find it difficult to compete with the private sector to counter the exodus. Government salaries usually are not competitive with commercial firms, and private sector jobs often offer more flexibility and creative benefits.
Organizations will have to provide incentives outside of financial compensation for security professionals to enter and remain in the cybersecurity workforce. Benefits such as flexible working conditions, professional development, and public service opportunities should be offered to a younger workforce that values such creative benefit packages.
Build a solid foundation for a long-term cybersecurity strategy
Effective cybersecurity requires that organizations learn from the OPM breach and build a solid foundation for a long-term cybersecurity strategy. By focusing first on basic practices, organizations can make strides in understanding their exposure, reducing risk and building a resilient cybersecurity program.
For more details on these best practices, download our free OPM whitepaper.
1 The quote is attributed to a character named Socrates in Dan Millman’s book Way of the Peaceful Warrior.
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.