Not yet a Member?
HR Magazine is highlighting the next generation of HR leaders.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
Join us in Chicago for the latest trends and technology in talent management, and what to expect in the future.
The historic data breach affecting more than 20 million current and former federal employees and the resignation of the official in charge of the government’s human resources office highlight HR’s critical responsibility for protecting employee information.
Office of Personnel Management (OPM) Director Katherine Archuleta resigned July 10, 2015, a day after revealing that recent data breaches of government systems affected 21.5 million current and former employees, contractors and their family members.
The compromised data includes personnel information such as health, financial and criminal records as well as the background checks used to screen potential employees. Anyone who underwent a federal background investigation from 2000 on “is highly likely” to be affected, OPM announced.
“By their very nature, HR departments are a treasure trove of data, as they’re responsible for protecting employee information ranging from home addresses to Social Security numbers,” data security expert Nigel Johnson of Zix Corp., told SHRM Online in June when the secondof two breaches was announced. “To ensure data security, it’s crucial for companies to nail the basics, including proper training of employees that come in contact with sensitive information and implementing the right tools, such as e-mail encryption and data-loss prevention technology. It is up to HR and IT to work together to ensure the right data-protection tools are in place and training is thorough so, at the very least, the communication of sensitive information is secure,” he said.
The largest data theft in American history began when intruders gained access to employee credentials stolen from an external contractor, highlighting that OPM failed to properly protect user accounts with privileged access.
Stu Sjouwerman, founder and CEO of IT security company KnowBe4, based in Clearwater, Fla., outlined perennial best practices for employers to use to protect employee credentials, including:
Deploying wall-to-wall two-factor authentication.
Eliminating passwords altogether and using biometrics instead. Alternatively, employers could move to a single sign-on service so that employees only use one password.
Putting employees through effective security awareness training that includes password management.
The agency revealed on June 4, 2015, that it had discovered a cyberattack involving data for 4.2 million current and former federal employees. On June 12, OPM disclosed a second attack that targeted information for millions more Americans who applied for security clearances. Both hacks had been ongoing since 2014.
Richard Spires, chief executive officer of Resilient Network Systems Inc., and former chief information officer for the Internal Revenue Service and the Department of Homeland Security (DHS), said other federal agencies are also at risk for data breaches because of a lack of IT management and security best practices and a slow-moving procurement process that prevents speedy adoption of the latest technology.
“Beginning in the 1990s and up to the present, the federal government has not properly managed IT, having failed to effectively adapt with the changes in IT technology and the evolving cybersecurity threat,” he said.
“Federal agencies are a rich target and will continue to experience frequent attempted intrusions,” agreed Andy Ozment, assistant secretary for cybersecurity and communications at DHS. To make up for “20 years of underinvestment in public and private cybersecurity,” Ozment advised Congress to pass cyberthreat sharing legislation currently sitting in the Senate and codify the Einstein intrusion detection system for use across federal civilian agencies.
“The OPM hack is an excellent example of our government on the one hand hoovering up massive amounts of data and on the other hand not having sufficient protection in place to guard that data,” Sjouwerman said. “There is systemic failure on the side of the government, despite projects like Einstein, which are supposed to guard against intrusions.”
OPM is currently reviewing the architectural design of its IT systems to identify and mitigate vulnerabilities and assessing its data sharing and use policies.
The Obama administration also launched an online cybersecurity resource center to provide information about the incident and is crafting a proposal to offer free credit and identity theft monitoring services to all federal workers, whether or not they were affected by the breaches.
Credit and identity theft monitoring services “should be provided to all federal employees in the future—regardless of whether they have been affected by this incident—to ensure their personal information is always protected,” OPM said.
Roy Maurer is an online editor/manager for SHRM.
Follow him @SHRMRoy
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Join SHRM's exclusive peer-to-peer social network
SHRM’s HR Vendor Directory contains over 3,200 companies