Data risks demand federal action
I have had several people call me wanting my opinion on the recent data breach discovered at the S.C. Department of Revenue and how it could have been prevented.
This same question is often asked of us from businesses after they suffer a data loss, attack, or breach.
My answer is always the same. Nothing could be done. No one is immune to an attack. It is the one thing that all governments, businesses and individuals are at risk of equally.
Let me explain further. There is some talk in the media about how much money was being spent on security and if the budgets were cut. Money isnít the solution to solve security risks. If money would solve the problem this would be a simple solution, but it isnít.
In addition to the SCDOR breach, we have seen hackers get into the U.S. Department of Defense, the White House, TJ Maxx, Bank of America and the military. They all have tremendous IT security budgets and they couldnít stop an attack.
The reason is that people are the ones who install these devices. People are the ones who write these policies. People are the ones who click on the video that is really a virus. I can sell you the most secure device in the world, but if an individual makes a small hole to allow something to take place, then no product will help you.
More money solves nothing.
All organizations must have the ability to detect and respond to an event. We have to assume someone will get into the networks and steal information. So, we need to build up these networks in a way that limits what they find once they get in there, and then we need the ability to detect what happened and respond by stopping them.
I think the state has done a terrific job in handling this breach. It has gone above and beyond what most organizations have done and they did it without being required to do so.
South Carolina, as far as I know, doesnít have a law that requires disclosure, but the state did it and made sure it had a plan in place for the citizens when they went public with it.
This talk over how long it took for the state to come out with the information is irrelevant. These things are very intricate, and it takes time to figure out what is happening and shut it down.
The question in my mind is what will the U.S. do about this? The main job of the federal government is to protect its citizens. There is all this talk about what South Carolina is doing for its citizens. What is the federal government doing for South Carolina and the thousands of businesses under attack this very moment from state-sponsored cyber crime?
South Carolina doesnít have the capacity or the legal ability to deal with China, Russia, and North Korea. The federal government does.
The Internet is another border that the federal government needs to protect.
JOHN M. STENGEL
Senior security analyst, J. Stengel Consulting
Faber Place Drive