The hack of the U.S. Office of Personnel Management didn't surprise me. All significant organizations are regularly attacked, and every major federal agency is a big target.
The outrage that followed this potentially preventable attack didn't surprise me either. But the most likely reason it wasn't prevented is that few people realize the value of standard personnel records, and they receive little to know protection, until they are compromised.
Unfortunately, the outrage will die away and with it will go the keen awareness that such records are in great need of protection. I hope I'm wrong, but I believe the likelihood of that is almost nonexistent.
Here are six reasons why I believe that incidents like the OPM hack will not only continue, but also quite possibly increase in scope.
1. We always hit the snooze button
The pattern of all recent attacks has been for little to change afterwards, with the requisite outrage dissipating quickly. Although the IRS hack of earlier this year resulted in $50 million in theft, it is already out of the news. The congressional hearing that it inspired may lead to some improved processes, but little of real value has been done.
Just since 2014, government agencies that have been hacked have included the Government Accountability Office, the Government Printing Office, the U.S. Postal Service, the State Department, the White House, the IRS, the OPM and the U.S. Army. The fact that one government agency after another has fallen prey to hackers shows how little is learned from each incident.
Outside of government, consider the hack of health insurer Anthem. It reported that more than 70 million people's records had been compromised. That is nearly 25% of the U.S. population. But there's a good chance that all of us have had our records compromised, since 91% of all healthcare providers have reported a data breach at some point. As big and recent as the Anthem data breach was, few people now mention it, other than to note that it now appears that Anthem and the OPM were hit by the same hackers.
2. We fail to learn from past hacks
Sure, I'm overstating the case. But while there definitely are some astute organizations with strong security programs, most organizations are not incorporating threat intelligence into their security programs, or at least not constantly updating their systems to ward off new types of attack.
Most tellingly, the White House only a couple of weeks ago ordered all federal agencies to implement basic security measures. The fact that this had to be directed in 2015, after decades of hacks into government agencies, is outrageous. How many hacks has it taken for the government to do the very least that should be done? And having to play catch-up at this late date means that the most up-to-date countermeasures will have to wait. How many more hacks will we see before then?
Sign up for CIO Asia eNewsletters.