Slashdot Mirror
Cash-Strapped States Burdened By Expensive Data Security Breaches
CowboyRobot writes "As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches. 70% of state chief information security officers (CISOs) reported a data breach this year, each of which can cost up to $5M in some states. 'Cybersecurity accounts for about 1 to 2 percent of the overall IT budget in state agencies. ... 82 percent of the state CISOs point to phishing and pharming as the top threats to their agencies, a threat they say will continue in 2013, followed by social engineering, increasingly sophisticated malware threats, and mobile devices.' The full 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study is available online (PDF)."
I worked help desk in K12 education a few years ago. In one district we supported there was a teacher that routinely responded to every phishing email she got. Every "go to this site and enter your password" or "email us your username and password" email she got she would immediately respond to. About once every six weeks we would get a call from her saying she wasn't getting email. Well, the hackers would connect to her compromised email address and configure Outlook rules to delete all her email and forward the spam or command messages they were sending out. Every six weeks we would have to reset her account password, delete all the rules, and essentially rebuild her mailbox from scratch. Every time we did this we told her "We will never, ever ask for your password in an email or with a link in email. Emails saying as such will always be attempts to steal your account. Again." Then six weeks later....
The woman was lucky she worked for the smallest district we supported. All the other districts had computer security agreements that would've had her up for disciplinary action or termination, but this district did not because the superintendent did not see why it was necessary. We all agreed her blatant inability to learn was pretty depressing considering her profession, and that it was almost certain her repeated violations would constitute negligence and numerous FERPA violations.
The road to tyranny has always been paved with claims of necessity.
I grew suspicious on seeing the name "Deloitte" in the association's name. That is one more organisation preying on already cash-strapped government institutions, by sending in 25-years old with the roaring title as "consultants" for exorbitant fees. You always see where the corpses are by paying attention to where the vultures gather.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
In Massachusetts businesses can be fined 1,000s of dollars for not having a written data breach plan, but the state is exempt from the rules. A few years back the unemployment office released personal information because of a virus installed on computers used by clients. There was no consequence for the state - and their response was - we can't do anything about it.
Just a thought. Perhaps given the fact that cybersecurity is impossible from a practical standpoint, maybe we should be thinking about taking things off the 'net. By "practical standpoint" I mean folding in reality factors like low-bid contract policies, cronyism, people who give away their passwords, etc. I am giving serious consideration to taking all my personal financial activities offline (or as much so as my financial institutions will let me), and maybe it's time this philosophy is given equal time with the rush to make all things accessible from the Internet (with all its tubes and pipes). For starters, any system with things like people's SSN on them are NOT reachable by the Internet. This won't avoid idiots losing laptops full of information, but it does close down remote inroads to the information (or access to control of things like power grids). Granted that it's nice to have full access all-the-time to everything, but perhaps since we can't protect the things that need protecting this is too costly a desire to meet.