When it comes to information security, all too often the necessary actions aren’t taken until someone really screws something up. The latest example of this comes from the federal government, which recently announced that various departments and agencies had to comply with a set of security standards within the short span of a month-and-a-half. The reason? A laptop with the records of 22.5 million retired and 2.5 million active-duty military personnel was stolen from the home of a Veteran’s Affairs employee, and the device was not secured.
“There was no encryption on the device,” said Andrew Krcik, vice president of marketing at PGP, which provides encryption services for organizational data assets. “They did get it back this week, and there’s no evidence that it’s been tampered with, but in the encryption world that doesn’t mean anything. Lack of any evidence that it wasn’t doesn’t mean that it wasn’t. I don’t think they released the details of how they got it back, but I’ll bet there were a lot of federal resources applied to getting it back. Then, as it turned out, other smaller breaches of data in other agencies came to light afterwards. That has a way of focusing attention.”
Thus, the deputy director of the Office of Management and Budget recently issued an order to all departments in the federal government to comply with a new security mandate within 45 days. That time frame ends on Aug. 7, Krcik said. “They will have to secure all devices that leave a secured premise. They must have two-factor authentication when you enter the network remotely, which means you have to use a token to identify yourself. Anytime a user’s machine is idle for 30 minutes or more, it must time out and the user must log in anew. They have to keep a written log of all data that is extracted from databases and the computers they ended up on, and that after 90 days, that data is destroyed, and all data that leaves the premises in any form must do so by encryption, and anything that’s stored off the premises must be encrypted.”
A simple question remains, though: If the laptop contained vast amounts of sensitive information, then why didn’t it have data encryption in the first place, mandate or not? Krcik explained that one of the main reasons Veteran’s Affairs and other public and private organizations neglect to take this step in securing information is their awareness of the technology involved. “There’s a sort of out-of-date perception about how complex this technology is,” he said. “If you evaluated this technology four or five years ago, at that point in time the technology was quite complex. There were no good management servers, there were no good key management systems — it was kind of a first-generation solution. PGP and others have introduced automated systems that are friendly to users and networks, work transparently and in the background, and don’t require a lot of installation or maintenance. The technology has improved dramatically, but not everyone knows it has.”
This incident also illustrates that lack of preparation for security threats amount to more than simple data loss. It also damages organizations’ reputations. “This story is about the federal government acting like a business and having the same sorts of realities in customer relations and reputation and trust that a business would have,” Krcik said. “The government has been very badly embarrassed by this. Think about it: Who’s probably got more resources in information security in the country, if not the world? They’re experts in this, they know this stuff, and yet they haven’t extended those protections into civilian agencies.”