This morning, Aerosmith's Make it (Columbia Records, 1973) plays and replays in my mind. The lyrics of note are
"You know that history repeats itselfWhat you just done, so has somebody else"
Most everyone involved with computers and a glancing acquaintance with cyber security remembers the Target attack a decade ago, As reported by Red River, it was one of the largest security breaches as of that time. The retailer's system was breached and "cybercriminals were able to steal 40 million credit and debit records and 70 million customer records." For those unfamiliar with numbers, that is what we refer to in the computing world as "a lot."
The miscreants in that attack did not mount a brute force attack on the retailer itself. They focused instead on "a third-party vendor." Red River notes that
"Third parties are most commonly compromised because they typically aren’t as well-secured."
There are a great many potential third-party vendors out there. The old proverb holds that "the chain is only as strong as the weakest link." That reminds me of a time we used a truck to pull a tractor trying to free a bulldozer, but that is a different story altogether.
A 2023 recap highlighted the 7 most infamous instances of cloud breaches. The article includes names like Facebook, Alibaba, LinkedIn, and Toyota. These are relatively large companies with significant sophistication. The breaches are said to have affected billions of records.
The threats of cloud storage and third-party vendors are old news (ye olde denial "it can't happen to me" nonetheless soothes and assures a great many who have nowhere near the sophistication or experience).
That is not to say that IT professionals don't think about these breach issues. There are a multitude of issues facing the IT world for 2025. Anyone with data is implicated. One site provides several concrete concerns for the IT professional but summarizes
"From the advances in Artificial Intelligence (AI) to outdated hardware, poor strategic planning and spending, cloud confusion, and new cyber threats, the numbers of IT issues are multiplying."
Gartner notes that risks include "surface expansion," or the breadth of places that can be attacked; there is mention of "clouds" (other people's computers), social media, and more. It notes more of the organization needs to be involved in IT security decisions. Security efforts must be holistic, as traditional threat training is "ineffective." Human error remains a major threat. Decreasing the number of vendors is also mentioned. The advice is relatively simple. Too simple? Unfortunately, none of this is new.
It would be naïve at best to believe the cyber world is a safe place. The Workers' Compensation Institute produced cybersecurity programs twice in the last ten years. As a result, I did much research and writing, see It Can Happen to Everyone (July 2021) for the topic and links to various posts I authored on cybersecurity.
The topics were compelling, the speakers were outstanding, and the attendance was disappointing. At the peak, these sessions attracted about 100 attendees. And many I questioned about their absence expressed that they had no concerns about hackers, extortionists, and worse. Those who accept blissful ignorance as a plan will likely find impacts and headaches in their future.
The inattentive learned another hard lesson in December 2024. The federal government would be expected to be a leader in safeguarding data. In fairness, it is also likely an attractive target. However, Reuters News recently noted that the U.S. Treasury Department had suffered an attack from miscreants. The officials there are blaming China for the attack, and characterizing it as "major."
True to the lessons not learned from the history of vendor hits, the Treasury says that one of its vendors was compromised. Did anyone else ever hear the old Girl Scout camping song: "Second verse, same as the first, a little bit louder and a little bit worse." Apparently, the good folks at Treasury never did. Ya know what they say about those who fail to learn from history?
The breach at Treasury led to the disclosure of internal documents. That is similar to Target. However, the concern is larger at Treasury. The vendor breached, which led to the Treasury, was a supposed cybersecurity expert: "The hackers compromised third-party cybersecurity service provider BeyondTrust." The guard hired to protect the castle got breached? The expert hired to prevent harm led to harm?
The bad actors, Chinese or otherwise, were "able to override ... security, remotely access certain Treasury DO (Departmental Offices) user workstations." That is not news. Cloudflare and others note that there are security risks with such Remote Desktop Protocol
(RDP) paradigms. They and others voice enthusiasm for the convenience from "employees access their office desktop computers from another device."
By allowing all of its employees to have RDP, an organization roughly doubles the "surface" of potential attacks. Transmitting across the Internet may compromise data and security as the "man in the middle" has the potential to access information in transit, despite efforts at encryption. Double the transmissions with remote work, and the chances of intercept only increase.
What the incident at the U.S. Treasury immediately teaches are some reasonably simple lessons.
First, the most sophisticated cybersecurity experts are not able to unequivocally prevent breaches of RDP.
Second, those who place their reputations and clients at risk with such tools as RDP are taking a significant risk.
Third, the risk remains no matter how sophisticated the entities are with whom you take this risk.
Fourth, increasing surface area and transmission frequency with data is fraught with increased risk of breach.
One of the key points of the WCI Cybersecurity program that I moderated is that "costs" come in many forms. The speakers there were unanimous on this point. They suggested that a cyber-breach might result in:
- Loss of access to your network (ransom).
- Loss of control of your data (theft, potential ransom demand to clients).
- Financial loss due to ancillary impacts on your clients.
- Detriment to customers or partners.
- Loss of reputation as hackers communicate with clients or public.
Risk, risk, risk. There are a multitude of ways that hackers can damage the business and even ruin the names of those who run it. Every lawyer, doctor, nurse case manager, and employer should be wary of hackers. Though a less likely target (businesses have data about many reachable in a single breach), there are those who attack individuals also. Every worker should be aware of cybersecurity, the protection of devices, and the vulnerabilities.
The potential for breach impacts every element and component of the workers' compensation community. Every employer, every worker, and everyone that any of them touches.
Potentially, there will be fallout from the bureaucratic inadequacy that afforded vendor-based remote access at the Department of Treasury. There is some chance that jobs will be lost because of the "major" event there last month. Undoubtedly, there will be responses. I suspect these might include:
- We hired the experts, and "they" messed up.
- This was unprecedented and could not have been foreseen.
- No one can completely forestall a state actor like China.
Nonetheless, some may struggle to accept that such a breach could occur. They may ask why an entity would even need RDP? Is the purpose to facilitate "remote" or "hybrid" work? Is there a compelling reason for such remote work? Or, is the worker convenience a nicety that simultaneously creates convenience for both the employee and the hacker?
The bottom line is that risk spreads over computers. The very wonder of computers is that they can operate rapidly, repetitively, and efficiently. Those very strengths for productivity are equal and opposite weaknesses for security. There are risks, benefits, and perhaps a necessity of balance. The chore of every professional and manager will be to assess the first two carefully and adopt a workable balance that fits the organization, professional, or situation.
I recall when the AIDS crisis broke upon American shores in the 1980s. There was fear, but also some degree of cavalier disregard for risk. It was common for lectures to refer to the infection risk with a reference to “partners.“ Their hypothesis, frequently proven, correct, was that engaging with any amorous partner was the equivalent of engaging in such relations with everyone that that person had previously had such amorous contact with.
If you must connect a computer, then the benefit is 100%. Perhaps a corresponding 100% risk of infection is a risk that has to be taken. If the risk of infection is 0% (fictional but as illustration), then perhaps a benefit of near 0% justifies hooking your computer to every other machine you can find. But, neither of these is realistic. Realistically, the analysis for each of us will fall between these two.
The challenge is both broad and deep. There are people in this world who are bent on destruction, theft, and mischief. They have been a threat for many years, and just as the internet, email, artificial intelligence, and now quantum chips will bring great efficiency and benefit to us all, they bring power and enablement to the hackers as well. The world is in a constant state of flux as the miscreants and the protectors/rescuers persistently strive to outdo each other.
And we, one and all, are at their mercy. The only tools at our disposal are knowledge, common sense, and careful attention to our own lives and business(es). There is no absolute safety nor hopeless doom. There is only balance, and you can decide your own perceptions of risks and benefits that suit you, your needs, preferences, and frivolities.
But, no matter what, don't forget Aerosmith:
"You know that history repeats itselfWhat you just done, so has somebody else"
