The Veterans Affair Breach – Anyone Can Be The Weakest Link
- Data encryption to secure and protect information
All sensitive information and data has to be encrypted on systems. Do not make it easy for hackers to obtain information.
- Stronger breach notification guidelines within agencies
There has to be a formal internal breach notification process and framework for notifying incident response teams and administrators of breaches so that action can be taken swiftly to mitigate the crisis.
- More attention to data retention, classification and minimization
There needs to be a proper assessment and review of how personally identifiable information is stored, accessed and protected. Firstly, organizations have to perform formal privacy impact assessments to understand how their agencies are collecting, using and protecting personal data. Following which, assessments to rate and prioritize these systems must be carried out. Lastly, appropriate controls should be applied based on the amount of personal data each system contains.
- Stronger remote access policies
There is need for better controls on agency data when accessed from remote locations by teleworkers. Implementing two-factor authentication to control remote access to agency networks and data from remote locations is critical. Remote users should also be asked to re-authenticate themselves after 30 minutes of inactivity. The focus should be on securing remote systems via the use of endpoint network admission control tools. Any system logging into a network has to have adequate antivirus and firewall protections, all the mandated configurations settings and be properly patched.
- Staff training and awareness – anyone can be the weakest link
Cyber awareness programs should be as comprehensive as possible and made available to staff at all levels. This is so that employees will become aware of even more issues than they are exposed to beyond department and levels and well equipped to prevent or deal with any potential cyber breach. Being proactive is a must; an investment in organizations protection and employees’ awareness will prove to be more affordable than the subsequent financial losses due to a cyber attack.
- Financial losses
5 veteran groups filed a class-action lawsuit against the VA alleging invasion of privacy. The lawsuit sought $1000 in damages for violations of privacy for each military personnel affected. VA agreed to pay $20 million to veterans affected by the breach.
- Reputational damage, Overhaul of IT controls
The breach spread widespread concern over the perceived lack of information security controls at the agency. It prompted a sweeping overhaul of the agency’s IT organization including top-level personnel changes and a centralization of all IT development, operations and maintenance activities at the VA.
Enjoyed this article? Curious to find out how you can better protect your organization, data systems and critical accounts in the event of a cyber attack? Contact us now for an in-depth consultation to obtain cyber security measures best tailored for your needs. MWG team will work with your employees, train them in cyber security awareness and guide them in adopting the appropriate cyber security skills in their work processes.