Advisen reports that there's been a massive data breach affecting tens of thousands of government employees. When US Investigation Services – a longtime government contractor specializing in background checks and security clearance – was hacked in March, the personal information of 25,000 government workers was exposed.
The breach, which was made public six months later, is a prime example of what not to do when working as a government or private contractor responsible for overseeing sensitive data.
Let's look at what USIS did wrong and what mistakes an IT contractor needs to avoid.
IT Security Lessons: This Is How to Lose a $320 Million Contract
Here's the thing: data breaches are often preventable. While we can't say with 100 percent certainty that USIS could have stopped this attack, it's clear that it should have done more to prevent it and taken actions that would have limited the breach's damage.
What can IT consultants learn from this case? Here are three areas where USIS failed with its security:
- It saved old data (i.e., not managing its "data footprint"). USIS kept old records of the government employees it screened. Why is it so bad to have old data? All personal data is a liability. If you keep data you're no longer using, it unnecessarily increases your risk and makes any potential data breach more expensive (because hackers will simply have more data to steal). IT firms that use best practices trim their data, minimizing the data footprint to reduce the potential damage if they are attacked.
- USIS was hacked through a third party. As is often the case with a data breach, the attack initially occurred through a third party. USIS wasn't hacked directly. Cyber criminals were able to access a vulnerable computer on a network connected to USIS. The details are fuzzy, but because USIS and this third-party contractor shared a network, it's clear that the two firms are in some way connected (maybe the third party was a subcontractor). Nearly every business has to hire outside contractors or vendors. If you give them access to your network, you're potentially compromising your security.
- USIS suffered from a lack of oversight and execution. Reports from former employees show that USIS didn't make efforts to ensure duplicate records were erased from staff computers. Workers screening applicants could download the relevant files to their desktop. While company protocol called for spot checks to make sure employees deleted these files, these checks were rarely performed.
In the interest of fairness, we should also point out some of the things that USIS did well in its data security and breach response. IT consultants should take note that USIS…
- Informed government agencies soon after it knew of the breach. Though the exact timeline is unclear, it looks like USIS informed the government shortly after it discovered the breach. No one wants to deliver the bad news, but quick notification is vital for two reasons. First, data breach laws require organizations to notify users in a timely fashion. If you don't inform clients about a breach, they could end up having to pay fines for failing to notify the effected parties. Second, an organization will have to prepare its response, hire security auditors, and contact crisis management teams. Responding to a data breach is hard work, and the more time you give a client, the better it will be for them.
- Got approval for security measures. While USIS's antivirus software, breach detection resources, and other safety measures ultimately failed, USIS had taken proper steps to get approval from the government agencies. By having government agencies sign off on its security measures, USIS made sure that it was handling data in a way that the government agencies approved.
The Takeaway: Unexpected Data Breach Costs for IT Contractors
Whether you contract with government organizations or private clients, there's one lesson you should take away from this data breach: if your business is involved in a data breach, your company's reputation could be so severely damaged that you'd have to shut down.
When talking about the cost of a data breach, many researchers don't include an IT contractor's lost business and tarnished reputation. USIS lost a $320 million contract, damaged its reputation, and potentially risked the security of thousands of government contractors. It's going to be hard for USIS to earn any big contracts in the near future. In fact, the company has already had to lay off 2,500 workers.
Protecting your clients' data security is also about protecting your business. With the high cost of a data breach, a single cyber attack could force your business to close its doors.