Additional information has come to light about the recent breach of pension records that demonstrated a need for better IT risk management by the Federal Retirement Thrift Investment Board. More than 120,000 retirees may have had their personally identifiable information disclosed during a cyber attack that has been described as "sophisticated”. When it learned of the breach, Congress requested additional details.
One of the main actors pressing the Federal Retirement Thrift Investment Board for more information has been Senator Susan Collins, a Republican representative from the state of Maine. Collins serves as a ranking member of an interested policy instrument of the Senate, the Senate Homeland Security and Governmental Affairs Committee (HSGAC). This committee exercises oversight over the Thrift Savings Plan. The breach was first brought to light on May 25th; just four days later, Collins was already requesting additional details about the incident.
When those details were furnished, they were somewhat explosive because they represented a change in story about how the breach was first discovered. That information was disclosed on June 5th in a response The Board sent to Collins. The Board now says that it was informed of the security problem in early April by an IT company hired to provide services that included not just IT management but also a variety of professional and management services. As of now, however, the board has yet to explain in detail why a breach that first occurred in summer 2011 remained undiscovered until some eight months later.
Although the investigation will no doubt continue until Collins and others receive additional firm answers to this and other pertinent questions, small and medium-sized businesses that conduct business online or make use of cloud storage facilities can already take some important lessons away from the incident. It seems clear that IT security was not being provided in a robust enough manner to ward off all attacks. While a number of factors may be responsible for that circumstance, one of them may well be the fact that the board was relying on a company whose sole specialty was not the provision of outsourced IT.
Remote monitoring and assistance make outsourced IT one of the best security advancements seen in the past decade, but businesses considering the strategy should be sure to work with a firm whose sole specialty consists of IT support and services, such as iCorps Technologies.