Data breaches, unfortunately, are more a matter of when not if, so contractors and agencies need to prepare and that includes knowing what to share when you've been hacked.
Massachusetts Air National Guardsman Jack Teixiera’s arrest for leaking Pentagon data has made headlines for weeks. He is a classic example of an “insider threat,” someone who maliciously and intentionally takes actions to breach data.
But most government data breaches aren’t nearly so spy-movie ready. They happen despite agencies’ and contractors’ best of intentions, through accidents, lack of security awareness, or social engineering attacks from external threats. That’s why many data breaches can be prevented with straightforward policy changes, use of effective cybersecurity technology, and security training.
Vigilance and preparation can solve most data breach risks, including how agencies and contractors should communicate breaches to the public.
Preparing for a data breach
There is no “one size fits all” for effective security measures for federal agencies and contractors. However, basic security preparation and planning should be on everyone’s agenda.
Digital solutions like anti-virus programs, proper usernames and passwords, and patches on endpoints like desktops and point of sale terminals will ensure across-the-board protection and will prevent human error from exposing information. So will proper firewall configurations, network intrusion detection systems, and the right set-up for your cloud managed service.
Data loss prevention (DLP) solutions are a special type of technical solution that warrants its own category. Many times, a data loss or data breach is the result of your team or employees attempting to do their job and inadvertently exposing data.
They may email a spreadsheet to their personal email so they can finish work at home. Or they may overshare data with their contractor, unnecessarily exposing people’s personal data. Or they may include personal data (such as a home address) in the body of an email from a call center representative.
DLP systems monitor the data of the system in use, in transit, or at rest to detect attempts to steal the data from places like email, messaging apps, Excel files, cloud applications, and databases.
In addition to the legal/regulatory controls that the law requires, administrative solutions include security awareness training for your staff to avoid social engineering attacks.
Many data breaches are a result of social engineering (manipulating someone into revealing information or performing other detrimental actions – through techniques like email phishing or faking a text from the CEO). User training is one of the least expensive and most effective ways to prevent a data breach.
A two-pronged pre-breach communications strategy also is necessary. The first prong is to identify the kind of data that can be breached and assess its impact on national security and private citizens’ safety.
Doing this ahead of time will ensure you respond faster and better during a breach, because you don’t want the first time you think about navigating a breach to be during the real event.
The second prong is to inform stakeholders about what you’re doing to protect their data. Agency heads, Congress, regulators, and watchdogs should be aware of what you’re doing and why.
Navigating the breach
It’s hard to earn trust during a crisis, especially one as impactful as people’s information being compromised, which is why we recommend building trust ahead of time. When a breach does happen, these five steps will help plug the technical leaks and mitigate brand damage:
- Acknowledge the facts, and don’t try to hide the breach. A cover-up is usually far worse than the mistake itself.
- Share important data about the nature of the crisis and provide good news if possible.
- Explain your response and why it was correct.
- Develop and announce concrete steps for mitigating the damage and securing data better in the future.
- Execute the steps and update stakeholders on progress.
Data security is not just an IT issue; it’s a business risk. Make a conscious decision ahead of time on how you will handle it.
There are some scenarios when silence is the right solution, but we believe that most data breaches should be communicated to stakeholders as quickly as possible – not just to protect yourself legally, but because it is the right thing to do.
Unfortunately, the nature of modern government and contractors is that a data breach is likely a matter of “when” instead of “if.”
While intentional bad actors like Jack Teixeira may require their own categories of prevention and controls, government agencies and contractors should focus most of their attention on preventing, detecting, and responding to unintentional data breaches.
Chris Zeiders is vice president of technology at Federal Resources Corporation (FRC), with 20 years of experience delivering secure, modern, digital solutions for the federal government. Dustin Siggins is founder of Proven Media Solutions and a business writer whose work has appeared at Insider, Forbes, Newsweek, and other national outlets.