Cash-Strapped States Burdened By Expensive Data Security Breaches

CowboyRobot writes "As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches. 70% of state chief information security officers (CISOs) reported a data breach this year, each of which can cost up to $5M in some states. 'Cybersecurity accounts for about 1 to 2 percent of the overall IT budget in state agencies. ... 82 percent of the state CISOs point to phishing and pharming as the top threats to their agencies, a threat they say will continue in 2013, followed by social engineering, increasingly sophisticated malware threats, and mobile devices.' The full 2012 Deloitte-National Association of State Chief Information Officers (NASCIO) Cybersecurity Study is available online (PDF)."

The bills eventually come due

[stox]

Things weren't any better when the states were flush with cash. Contracts are granted more on the ability to navigate the bidding process than they are by the ability of the bidder(s) to get the job done. Until that changes, we deserve what we get.

Re:The bills eventually come due

[Bacon+Bits]

Contracts are always granted to the lowest bidder. Think about what that means. You will always be hiring the guy who is cutting the most corners, hiring the fewest, least skilled workers, purchasing the lowest quality or oldest tools and materials, etc. The only time you don't go with the lowest bid is when you can show that there's something wrong with the bid itself (i.e., it missed one of the requirements).

Example: There was a contract for copier service and repair at one of the K-12 schools we supported. The contract bid was half that of the other bids. Indeed, it was half the cost of the previous contracts to support the same number of copiers. Even though this makes no sense, they got the contract. New copiers were leased and installed and users were trained. 8 months through the first year, the business ran out of money. They stopped responding to calls. Then we discovered that their techs had left for another service company because their paychecks bounced. The business filed for bankruptcy. The school had to hire another service company to support the next 6 months at higher expense while a new contract was bid. The new contract was more reasonable, but the copiers were a different make. So, new copiers were leased and installed and users were trained all over again. This is how government waste happens.

By the way, if you don't go with the lowest bid the citizens will inevitably complain to the city council or representative. They will do this anyways because Americans always complain, but when there's something a council member or rep can pin on you, well it's something you want to be able to justify. "I know these guys are shady" just isn't going to cut it in all cases.

This comes as no surprise to me

[Bacon+Bits]

I worked help desk in K12 education a few years ago. In one district we supported there was a teacher that routinely responded to every phishing email she got. Every "go to this site and enter your password" or "email us your username and password" email she got she would immediately respond to. About once every six weeks we would get a call from her saying she wasn't getting email. Well, the hackers would connect to her compromised email address and configure Outlook rules to delete all her email and forward the spam or command messages they were sending out. Every six weeks we would have to reset her account password, delete all the rules, and essentially rebuild her mailbox from scratch. Every time we did this we told her "We will never, ever ask for your password in an email or with a link in email. Emails saying as such will always be attempts to steal your account. Again." Then six weeks later....

The woman was lucky she worked for the smallest district we supported. All the other districts had computer security agreements that would've had her up for disciplinary action or termination, but this district did not because the superintendent did not see why it was necessary. We all agreed her blatant inability to learn was pretty depressing considering her profession, and that it was almost certain her repeated violations would constitute negligence and numerous FERPA violations.

Deloitte ? Don't make me laugh.

[vikingpower]

I grew suspicious on seeing the name "Deloitte" in the association's name. That is one more organisation preying on already cash-strapped government institutions, by sending in 25-years old with the roaring title as "consultants" for exorbitant fees. You always see where the corpses are by paying attention to where the vultures gather.

Useless "report"

[dgharmon]

"As budgets are pinched by reduced tax collection, many U.S. states are facing a possibility of not being able to handle the ever-increasing number of data breaches."

Use a computer that don't get viruses merely by, browsing the web or opening an email attachment ...

States exempt themselves from the rules

[roarkarchitect]

In Massachusetts businesses can be fined 1,000s of dollars for not having a written data breach plan, but the state is exempt from the rules. A few years back the unemployment office released personal information because of a virus installed on computers used by clients. There was no consequence for the state - and their response was - we can't do anything about it.

Disconnect

[jasnw]

Just a thought. Perhaps given the fact that cybersecurity is impossible from a practical standpoint, maybe we should be thinking about taking things off the 'net. By "practical standpoint" I mean folding in reality factors like low-bid contract policies, cronyism, people who give away their passwords, etc. I am giving serious consideration to taking all my personal financial activities offline (or as much so as my financial institutions will let me), and maybe it's time this philosophy is given equal time with the rush to make all things accessible from the Internet (with all its tubes and pipes). For starters, any system with things like people's SSN on them are NOT reachable by the Internet. This won't avoid idiots losing laptops full of information, but it does close down remote inroads to the information (or access to control of things like power grids). Granted that it's nice to have full access all-the-time to everything, but perhaps since we can't protect the things that need protecting this is too costly a desire to meet.