Even the CIA is vulnerable.
Recent reports of cyber attacks targeting the federal government and prominent organizations, including the CIA and the U.S. Senate’s website, the International Monetary Fund (IMF), Lockheed Martin and dozens of others in 2011, have highlighted the need for corporations to make sure their enterprises are secure.
And now with Congress paying attention, so too should HR and IT departments, experts say.
“Sophisticated cyber attacks are increasingly becoming the greatest threat to the future of electronic commerce here in the United States and around the world, and that’s why Congress must take immediate steps to better protect the personal online information of American consumers,” Rep. Mary Bono Mack, R-Calif., said June 15, 2011, during a House subcommittee hearing where she unveiled legislation that would require companies to notify law enforcement within two days of discovering a data breach. Experts say there are dozens of laws requiring the reporting of data breaches nationwide, but Mack’s proposal would require companies to establish and maintain appropriate security policies to prevent data breaches and minimize the amount of data collected from individuals.
The Secure and Fortify Electronic (SAFE) Data Act would require breached firms to notify the Federal Trade Commission as well. Companies that do not may face fines.
Her bill augments legislation passed by the House in 2009, but never acted upon in the Senate. “Maybe [the recent Senate attack] will give them a bit of an incentive over there,” Bono Mack said.
According to datalossdb.org, which tracks such breaches, in most cases hackers accessed customers’ names, contact information, e-mail addresses, passwords, credit card account numbers, vehicle identification numbers and other financial data. Some of it wasn’t even encrypted. Some of the breaches involved employee negligence or theft of company equipment. Most involved hacking.
A recent report by Ernst & Young reveals that although organizations have been dealing with opportunistic cyber attacks for years, many now find themselves the target of more sophisticated and persistent efforts. These attacks are focused on a single objective, often lasting over a long period of time until the desired target is obtained. They leave few signs of disturbance because they are designed to remain hidden to acquire as much sensitive information as possible, the report states.
In March 2011, U.S. weapons maker Lockheed Martin Corp. was hit by an unspecified cyber incident. On June 15, 2011, the CIA experienced a denial of service attack. In April 2009, spies breached the Pentagon’s $300 billion Joint Strike Fighter jet project, a costly weapons program. That same year, a security audit of the U.S. air traffic control system revealed it too was repeatedly hacked. The culprit: weak passwords and unprotected folders.
What HR Can Do?
“First thing you have to know is that it is going to happen. Expect it,” said Damon Petraglia, director of forensic and information security services for Chartstone LLC and a consultant for the electronic task force for the U.S. Secret Service.
In Borderless Security: Ernst & Young’s 2010 Global Information Security Survey, the professional services organization found many companies are expecting attacks:
39 percent of survey respondents say they are implementing policy adjustments.
38 percent are increasing security awareness activities.
29 percent are adding encryption techniques.
Security experts interviewed by the Society for Human Resource Management said it is imperative that corporations train employees about good online habits, institute online usage policies and, if possible, eliminate nonbusiness online activity. They also suggest that IT departments add a second layer of data security beyond firewalls, step up their authentication methods, and make data inside their network valueless to hackers.
HR should have IT departments assess their applications for security vulnerabilities and educate employees about good online habits as well.
“Vulnerabilities crop up in design, configuration and implementation,” Daniel Uriah Clemens of Packetninjas LLC, an information security consultancy based in Alabama, told SHRM Online. “Businesses need to know that while living in the digital world their business viability is based on the technology decisions they make.” Good companies “practice practical security disciplines, both offensively and defensively.”
Katie Johnson, head of marketing and client services for Awareity, a web-based security solutions firm, added, “The majority of data breaches are caused by or related to human error—failure to set up a system properly, unauthorized access, mistakes and errors, password security, social engineering [the art of tricking people into giving away confidential info], etc. It is important for organizations to ask, ‘Are all employees aware of changing and more sophisticated risks? Have we updated employees with situational awareness as more and more attacks target employees?’ All employees must understand their individual roles and responsibilities for protecting sensitive information,” she said.
“Good IT departments understand that strong information security programs do not stop upon completion of their risk management plans, disaster recovery plans, or security policies and procedures,” Johnson said. “It is critical to ensure constant updates and plan reviews.”
According to a March 2011 study released by the Ponemon Institute, the average cost of a data breach in 2011 is $7.2 million—per data breach event. A data breach response plan is imperative, added Denis Kelly, chairman of the three-year-old Identity Ambassador Commission, which certifies identity theft professionals. Kelly, author of The Official Identity Theft Prevention Handbook (Sterling & Ross Publishers, 2011), has been working with congressional leaders on the SAFE Data Act.
“If the response plan is not developed prior to a breach, then all costs associated with the breach rise dramatically,” Kelly told SHRM Online. He added that there are two primary considerations for breach management: internal and external.
“Internal is systems, structures or processes that led to the breach. External are the victims and the public perception. These components must be addressed in tandem and with a high level of coordination,” Kelly explained, adding that “once a breach is discovered, there should be a reasonable time—96 hours—from discovery to notifying victims.” He said that gives the company enough time to identify and assess the situation.
“Ensuring you have constantly reviewed and revised electronic-use policies, covering all aspects of employees’ potential use of corporate technology is key,” added Andrew Marshall, CIO of Technologies for Campus Apartments, the oldest student housing provider in the U.S.
“These policies have to be backed up with enforcement and education to ensure employees understand what is required and work within the guidelines,” he said, adding that “most security risk, knowing or unknowing, starts with an employee—whether it’s writing a password on a Post-it note [for anyone to see], using a password that they use on other noncontrolled sites, allowing someone else to use their ID, or unwittingly introducing a virus or malware. Not much of this can be electronically mandated, so the first line of defense is policy and education,” he said.
Aliah D. Wright is an online editor/manager for SHRM.
Related Articles, Video
FTC Settles with Firms over Failure to Protect Employee Data, SHRM Online, HR Technology Discipline, May 2011
E-Mail Training Needed to Avoid Cyber Battles, SHRM Online, Legal Issues Discipline, May 2011
Protecting HR Data, SHRM Online, HR Technology Discipline Video, December 2010
Protect Passwords, SHRM Online, HR Technology Discipline Video, December 2010