Governor Nikki R. Haley of South Carolina has been uncommonly honest about the reasons for the recent Department of Revenue hacking incident, which resulted in the theft of almost 400,000 credit card records, and 10 times as many Social Security numbers.
"Could South Carolina have done a better job? Absolutely. We did not do enough," Haley said.
It would be refreshing to hear, just occasionally, similar frankness from enterprises that suffer security breaches and data losses. Specifically, South Carolina's cybersecurity failures included:
- Insufficient levels of password security, and
- Not encrypting Social Security numbers.
One might add inadequate training. The hackers gained access through straightforward spear phishing methods, getting state employees to click on malicious links in emails, which in turn permitted programs to access their accounts and steal their login details.
As a detailed audit by the security vendor Mandiant makes clear, the hackers used valid credentials to access a user account, credentials effectively handed over when the user clicked on the malicious email link. Once inside the account, the hackers leveraged the user's access rights to gain access to sensitive files.
Jim Etter, director of the Department of Revenue, has been asked to resign.
The apparent ability to re-set access rights from within an individual account, with no third-party supervision, is clearly questionable. The apparent readiness to click on links in suspect emails is predictable, but dismaying. The failure to encrypt sensitive data is culpable.
There are three lessons to be learned from the South Carolina experience. The first is that perfunctory security just isn't enough, especially for any enterprise or other organization that maintains databases of valuable personal information. Encryption isn't just optional, single passwords are often not enough, and training in security awareness should be mandatory. That's the first lesson, and it should be obvious.
The second lesson is that being open about what happened -- in the case of South Carolina, commissioning and then publishing a third-party audit -- can actually restore confidence rather than undermine it; as long, of course, as action is taken to remedy the flaws.
The final lesson is a painful one, and it's accountability. It seems unlikely that the director of the Department of Revenue had direct operational responsibility for cybersecurity, but he had a responsibility to see that the job was done, and done properly.
Executives need to understand that cybersecurity is no longer just something peripheral to the IT manager's agenda. In this data-driven age, it's crucial.
— Kim Davis , Community Editor, Internet Evolution