In response to news of a breach at the Pentagon compromising the data of 30,000 employees (AP/CNBC link), experts with STEALTHbits Technologies and the Santa Fe Group, managing entity for Shared Assessments, the experts in third party risk management, offer perspectives:
Tom Garrubba, Sr. Director/CISO, The Santa Fe Group, says: "This appears to continue on a disturbing trend – regardless of industry - of organizations putting more emphasis (i.e., controls) in protecting customer, cardholder, and intellectual property data and not placing the same rigor or controls to protect their most valuable asset: the personal data of their employees. As organizations increase the outsourcing of human resource activities it becomes more evident that the same care be applied to any third party who will be exposed to such data."
Adam Laub, Senior Vice President, Product Marketing, STEALTHbits Technologies, argues: "On the heels of the GAO’s report earlier this month stating “nearly all of the Pentagon’s weapons systems are vulnerable to cyberattacks”, it should probably come as no surprise that the DoD’s cybersecurity woes aren’t isolated to only it’s most critical systems and infrastructure. That said, the Pentagon is no different than virtually any other government agency and even many private institutions, as they all face the same challenges in recruiting and retaining the talent needed to operate effective cybersecurity programs. When you don’t have the right people or enough people, following best practices and plugging vulnerabilities is a pipe dream. The harsh reality is that the day-to-day lives of the people charged with defending our credentials and data are consumed by constant firefighting and merely keeping the walls up, let alone the gates closed."
Tim Bedard, Director, Security Product Marketing, OneSpan, adds: "New day, same old story – US government agency compromised by poor third-party contractor security. While this is a new cyber breach headline, the underlying root causes are not. Why? Because US contractors are forced to comply with different security requirements in their contracts across multiple different agencies. This, in turn, often leads to multiple, conflicting security mandates. Combined with poor cyber hygiene like compromised or weak user credentials and unpatched software, the vast majority of these data breaches could be preventable. So how do we address this growing issue?
"A good first step was recently announced - that all Federal and state employees responsible for running government websites will soon have to use two-factor authentication to access their administrator accounts, adding a layer of security to prevent intruders from taking over dot-gov domains. With the Department of Justice, State and Defense adding a two-factor authentication to their accounts, this is the latest move by the federal government to boost the security of its websites and databases, which continue to face cyber threats.
"To further improve the government’s security posture, new standard security requirement for all US agencies needs to be put in place. A new standard security policy for two-factor authentication for all US contractors would remove the burden of supporting multiple different security requirements, eliminate conflicting security mandates while reducing the risk of another third-party contractor security breach in the US government."