I want you and your business to take every precaution against cyberattacks, which is why I do everything I do to help you with that.

But if you have had a breach, I don’t want you to feel like a schmuck over it. After all, the Congressional Budget Office is still struggling to come back from an attack that hit it last week.

If the U.S. Congress isn’t ready for a cyberattack . . . er, come to think of it, maybe we shouldn’t be too surprised. It’s a big, high-profile target and it’s entirely possible cybersecurity is not their expertise.

The CBO is an arm of the legislative branch that analyzes spending bills for their long-term impact on the debt and the deficit. Its methods are often criticized, but the bottom line is that they give the members of Congress a report purporting to show what the long-term impact of any spending proposal will be.

You might hear: “The CBO projects that Spending Bill X will add $400 billion to the deficit over the next 10 years.” Senators and representatives take that analysis into account when they’re considering how to vote on bills.

So what happened?

The reporting hasn’t explained the exact nature of the threat, but it did say they suspect a foreign actor, and they’re warning CBO employees not to share sensitive information via email, Zoom or Microsoft Teams.

And with the attack now a week old, the hacker still isn’t out.

That’s kind of astonishing. Most competent cybersecurity consultants are prepared to take multiple steps to limit an attacker’s penetration of a system, and can enact certain measures to shut down the attacker’s continued access once it’s known that the attacker is there.

If the CBO has known about the breach for a week and they still haven’t gotten the attacker out of there, it’s either an extremely sophisticated breach – or the cybersecurity team at CBO is extremely incompetent.

Now you might wonder: Doesn’t the federal government have access to all the most sophisticated technology to protect against something like this? Of course it does. It has an entire agency – the Cybersecurity Infrastructure Security Agency – which is part of the Department of Homeland Security and whose entire job is to identify threats and teach people how to guard against them.

But even well-known tools like Crowdstrike and Microsoft Defender can’t guarantee an employee won’t be fooled by a phishing email, or that someone won’t inadvertently download a malware attack.

Oh, and all the best security platforms in the world won’t protect you if you’re not keeping up on patching your vulnerabilities – which has to be done on an ongoing basis.

I often warn companies that one of the most basic things you can do is to correctly configure DMARC records. I don’t know if the CBO has done this or not. If it didn’t, and that’s how this happened, it may be the facepalm of all time.

Now, the lesson you take from this could be: “If the federal government can’t stop a cyberattack, what chance do I have?”

But that would be the wrong message. You can make a decision right now to do the things the federal government clearly didn’t do. You don’t have nearly as many points of vulnerability as the feds do, so it’s a manageable process if you get serious about it quickly.

I can help. Call me at 616.217.3019 or email dacarey@cybersynergies.io.