Enterprise post-breach mantra must be 'how' not 'who'
Hack me once, shame on you! Hack me twice, shame on me!


There should be no doubting that the fact the US Office of Personnel Management (OPM) has been subject to a breach of quite dramatic proportions. The reports that details of up to four million past and present government employees have been compromised is big news.
The OPM is the agency responsible for both the screening and the hiring of the vast majority, and we are talking something in the region of 90 per cent, of federal government staff. This includes the approval of security clearance. Once you realise that, the importance of the news is frankly a given.
That this is the second serious breach within the same department in less than the space of a year makes the story even bigger. So why is the world's media, including most of the specialist security and tech press as far as I can see, obsessing over the wrong headline?
Everywhere I look, I see stories covering the attribution angle. The who and not the how. Everyone, it would appear, is salivating over the 'spy movie in the making' notion that the Chinese were behind this 'Nation State Sponsored' attack.
This could, of course, well be the case. The who is ultimately part of the story. What it isn't, at least from the enterprise security perspective, is the most important part of it. If business is to learn from breaches such as this, and business must because the same techniques and exploits will almost inevitably filter down the threat food chain and strike eventually, it must focus on how the perpetrators managed to do what they did and stop them from being able to repeat it.
Attribution is nothing but a distraction at this stage in the game, and one that We The Media seem to have an unhealthy, and certainly unhelpful, obsession with.
For one thing, almost always and at the very least almost always for the longest time, attribution for such attacks is difficult in the extreme to establish successfully. The same is true whether we are talking about nation states or hacktivist collectives, there will always be speculation, finger pointing and kudos collecting.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
What there will be precious little of is proof beyond reasonable doubt. In the absence of which, you have to ask yourself why bother expending so much energy when that energy could be so much better spent looking at what went wrong and how to prevent it going wrong again.
Reports are suggesting, for example, that at least some of the data at the centre of the OPM breach was apparently unencrypted. There's important lesson number one right there. At least make the prize as unattractive as possible if the bad guys manage to navigate through the defences to get at it rather than handing it to them on a plate.
Not that encryption is the key, if you will pardon the pun, but it does add another layer of difficulty into the mix. A determined attacker could always steal the keys as well the database, or engineer authorised access to grab the unencrypted data for example. It has to be seen as part of a solution. All too often, unfortunately, encryption is seen as part of a problem and therefore isn't implemented in any form. Big mistake!
Now that the initial hysteria has started to die down, we can get back on track and start looking at that how rather than the who. Hopefully, by so doing, we can learn what vulnerabilities were exploited and where the attack surface was weakened.
Hopefully, if your organisation is subject to a breach you will get straight to the nitty gritty of how it happened and once you've worked that out, and secured the defences, then and only then start pointing the finger of blame...
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.
-
New chapter, same partners: Keeping the channel aligned with change
Industry Insights How to maintain strong channel partnerships amid evolving strategies and market change
-
Palo Alto Networks snaps up CyberArk in identity security push
News The acquisition marks the latest in a string for Palo Alto Networks
-
‘All US forces must now assume their networks are compromised’ after Salt Typhoon breach
News The announcement marks the second major Salt Typhoon incident in the space of two years
-
Scania admits leak of data after extortion attempt
News Hacker stole 34,000 files from a third-party managed website, trucking company says
-
UK cyber experts on red alert after Salt Typhoon attacks on US telcos
Analysis The UK could be next in a spate of state-sponsored attacks on telecoms infrastructure
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standards
News Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
-
The US could be set to ban TP-Link routers
News US authorities could be lining up the largest equipment proscription since the 2019 ban on Huawei networking infrastructure
-
US government IT contractor could face death penalty over espionage charges
News The IT pro faces two espionage charges, each of which could lead to a death sentence or life imprisonment, prosecutors said
-
US identifies and places $10 million bounty on LockBit, Hive ransomware kingpin
News Mikhail Pavlovich Matveev was linked to specific ransomware attacks, including a 2021 raid on the DC police department
-
Breach at US Transportation Department exposes 240,000 employee records
News An investigation is underway into the breach, which affected former and current employee data