The short answer is yes.
A data breach involving more than four million federal employees was announced in early June. The breach, involving the U.S. Office of Personnel Management (OPM), involved personnel records and security clearances.
During the breach, hackers gained access to the financial, health, and personnel files of members of the military, and others, who applied for government security clearances. In addition, sensitive information belonging to millions of friends and family members of clearance applicants was siphoned off in the hack. The stolen data could be used to identify specialists, scientists, and others operating covertly in foreign countries.
Thefts of employee, financial, and healthcare data is, unfortunately, becoming more and more common. Earlier this year, investigators linked attacks on healthcare insurers Anthem, Premera Blue Cross, and CareFirst to Chinese hackers. The Anthem attack alone is believed to affect close to 80 million consumers. Even Donald Trump is not immune. Krebs on Security recently revealed that Trump Hotels suffered a data breach extending back months. And while the Target data breach of 2013 startled consumers and banks, the provision of free security monitoring to compromised consumers is now mainstream.
A serious breach of HR files could occur to any business, or enterprise. What can you do about it?
Hot issues for HR cyberscecurity
Outstripped legacy systems and practices are not just a problem of the federal government. Businesses of all size are vulnerable to internal and external intruders. The vast security weaknesses evident in federal systems are mimicked each day in business, state, non-profit and other information technology (IT) systems.
The IT security challenges facing most business today include:
Lax security: From hardware to software, vendors, employees, and soft security protocols, the majority of businesses do not have equipment, plans, or personnel in place to address IT security.
Specialized IT staff: Practically in its infancy, the field of cybersecurity will explode in coming years. While IT specialists are trained to assess, identify, and offer solutions to system problems, and data delivery, experienced security talent is relatively rare, and in high demand. Although information and intellectual property are key assets, few businesses have trained teams to address or resolve vulnerabilities. If you do not employ trained specialists, use an outside service or consultant.
Bring your own device: Mobility offers unparalleled opportunity to increase productivity, facilitate communications, and share data. Electronic devices of all kinds are vulnerable when an information system is breached. Routine headlines speak to the frequency with which laptops containing unencrypted sensitive data—or access to data—are stolen. Current methods to sequester data on mobile devices include sandboxing and virtualization:
- Sandboxing: A sandbox is a defined, controlled space created for users of mobile devices. Work on the device is contained within protected sectors called sandboxes.
- Virtualization: Virtualization allows a user to work on a device without storing data there. Less stored data = less threat.
Training: Employees pose an enormous risk to system security. While some attacks are intentional, more damage occurs by mistake. The potential to download a malicious program is enormous—even when employees, vendors, or clients are trained. Personnel who use, access, or employ, your systems should receive prevention and detection training. Because malicious programming and hacking methods evolve rapidly, ensure that developments in cybersecurity are frequently discussed within your organization.
The U.S. Computer Emergency Readiness Team (US CERT) provides protocols, tools, and training for businesses to initiate system assessment and readiness. Steps identified by CERT toward readiness include:
- Identify: Assess and understand risk
- Protect: Training and best practices
- Detect: Engage resources to detect and share situational awareness
- Respond: Share situational resources, respond, and advise operators and business
- Recover: US CERT offers Federal Emergency Management Agency (FEMA) planning exercises
The breach at the OPM resulted in the theft of millions of sensitive HR files. As security experts work to identify the extent of the damage, OPM managers struggle to explain why sensitive data was not encrypted.
Data breach incidents in the United States, and across the globe, are on the rise. Hackers of yesteryear were individuals aiming at revenge or damage. Today, sophisticated hackers routinely test for IT vulnerabilities in companies of all sizes each day.
Could it happen to you? The long answer is yes.