The recently detected massive cyberattack should really drive home the importance of protecting data from exposure. As the attack shows, even the best-defended organizations can sometimes fall victim to attack, so maintaining effective data privacy practices must be a top priority.
Data privacy is not the same as data security, although the two are connected. Federal agencies safeguard personal information not only for every American citizen, but also for many non-citizens who need to interact with the U.S. federal government. Every agency must protect data, including personally identifiable information (PII) and personal health information (PHI), since failing at that duty can lead to identity theft or civil rights violations.
Even more insidiously, determined identity thieves or other bad actors can use even partial pieces of PII, using what they know to find out what they don’t know. If they have a name, they can find an address. With a name and address they can find information on family members, and so on. Eventually, they have enough information to write a realistic email that can convince a mother her son is in trouble and needs money wired fast, for example.
Common types of data that federal agencies protect include:
- Social Security Numbers
- Medical records
- Race and ethnic origin
- Religious or philosophical beliefs
- Political opinions and affiliations
- Trade union memberships
- Biometric data
- Genetic data
- Health data
The ID theft risk is growing
Would-be data thieves are always looking for vulnerabilities and weaknesses that can give them a way to access private information. They often use phishing attacks, but there are many other tactics. Organizations in the public and private sectors need to be on constant guard.
A data breach can potentially expose hundreds of thousands of people to the risk of identity theft or expose secret information to adversaries. According to the Ponemon Institute, which researches information and privacy management, it takes an average of 280 days for organizations to detect data breaches. The average cost to repair the damage of a data breach is $8.46 million.
Enterprises have hardened their defenses over the past few years. Two-factor authentication (2FA) is now common, and has made it more difficult for social engineering—tricking someone into divulging a password—to be enough. However, even 2FA authentication techniques have vulnerabilities. They are only as secure as their weakest components, and data intrusions still occur even with measures, such as security tokens or biometric authentication in place.
Protect data with these key steps
Fortunately, federal agencies—and individuals—can better protect their data through key steps, including:
- Understand your data: Agencies should identify the sensitive information they collect and consider why they need it. Analyze the tools used for collection and storage, and ensure they follow industry standards and federal mandates. Do not forget the value of even piecemeal information.
- Encrypt data: Encryption is one the best measures to prevent data loss. The Advanced Encryption Standard (AES) is the trusted standard algorithm used by the United States government, as well as many other organizations.
- Monitor attempted intrusions and analyze the data: Organizations should employ the latest technologies for continuously monitoring data privacy breaches, maintaining a historical record of breaches and actively gathering information about potential actors behind the breaches. Attackers continuously create and test new ways to penetrate defenses; the defenses must keep up by performing ongoing analysis of attack tactics.
- Delete sensitive information when no longer needed: So long as the law and regulations allow it, federal agencies should purge personal information they do not plan to use again. Be very careful, though, to ensure adherence to federal records retention laws.
- Employ data masking: When copying production data into testing or training databases, organizations put the data at risk. However, testing often needs a realistic number of records to thoroughly determine the strengths and weaknesses of the system being tested. Data masking turns high volumes of real data into mock data, enabling risk-free testing and training.
While data protection presents many challenges, the high cost of exposure makes it critically important to do and to do it well. Even though the recommendations above provide a strong foundation, the landscape constantly shifts. Therefore, federal cybersecurity professionals must stay abreast of the evolving universe of threats.
Learn more about CGI Federal and our cybersecurity expertise here.