Don’t Be The Government

US Currency
Is Cash Still Necessary?
November 26, 2019
Young woman giving credit card to cashier
Could Payment Processing Speed Up?
December 10, 2019
US Currency
Is Cash Still Necessary?
November 26, 2019
Young woman giving credit card to cashier
Could Payment Processing Speed Up?
December 10, 2019

There are severe penalties for businesses that ignore PCI compliance. We hope that yours is not one of them and if it is give us a call so we can help you meet PCI compliance. Meeting compliance is important as it keeps your customers information safe and lessens the chances of a data breach, something that is all too common these days. PCI compliance is maintained by the government, but what happens when the government fails to meet their own cyber security standard?

The Report

Earlier this year the Senate published a report revealing a decade-long series of failures by eight US government agencies to follow even the most basic cyber security procedures and as a result they exposed their networks and the information of Americans to attack. The bi-partisan report, ordered by Rob Portman (R-OH) and Tom Carpenter (D-DE) reviewed the past 10 years of reports by the IG regarding compliance with federal information security standards.

The report analyzed eight different US agencies: the Departments of State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education, Homeland Security and the Social Security Administration. The results are ugly.

Highlights (Or Lowlights)

Cyber attacks against federal agencies increased by 1300% from 2006 to 2015 so it was known that there was a problem but it was not known just how bad it was. It is not surprising by itself that the number attacks increased but the responses were.

Highlighted were a string of failures and bad practices at those agencies. Five of the eight failed to maintain accurate and comprehensive IT asset inventories. This prevents administrators from controlling access and preventing the process of updates on government devices which can leave huge gaps in protection. 

Six of the eight agencies also failed to apply security patches. Seven of the eight failed to protect personally identifiable information from theft. One of the biggest issues was that the Department of Education failed to secure its network and anyone could access it for up to 90 seconds, or more than enough time to launch an attack on the network. In another instance Homeland Security was still using unsupported systems running Windows XP. Microsoft ended support for Windows XP in 2014!

The Government Should Be Held To A Higher Standard

This underlines the sorry state of cyber security in our own government, which puts the information of every American at risk. This information, which is hardly new, has drawn cyber criminals to it like flies to honey. The fact that these agencies did not comply with standards set, not only by Congress but also by best-practice standards is worrying and had they been a regular business there would have been major issues with PCI compliance. For a regular merchant these issues would have been fixed years ago or they would have gone out of business.

Outside of the shame that comes with this there seems to be very little that will be done to punish those responsible, especially since many of those responsible have moved on in their lives. It is good to be working for the government. Let’s hope that these issues have been fixed or are being fixed. The safety of the information of all of us depends on it and we hope that the administrations that were not highlighted by the report heed this report as well. If only the government could be held to the standards of PCI compliance too. Don’t be the government, maintain your own PCI compliance.