continuityfocus.com

  • Home
  • About
  • Integrated Solutions
    • Endpoint
      • Protection
      • Management
    • Infrastructure
      • Monitoring
      • Hosting
    • Mobile Device Security
      • Corporate
      • Education
    • Content Filtering
    • Secure File Sharing
    • Backup and Disaster Recovery
    • Other Integrated Solutions
  • Consulting Services
    • White Glove Security Services
    • Security and Risk Assessment
    • Intellectual Property Protection
    • Project Management
    • Network / Infrastructure Tuning
    • Outsourced CTO
    • Other Consulting Services
  • Partnerships
    • Infrastructure
      • Barracuda
      • ContentKeeper
      • HP
      • IBM
      • Lenovo
      • VSS Monitoring
      • Winchester Systems
    • Networking
      • Cisco
      • Fortinet
      • Juniper
    • Software
      • Asigra
      • Cylance
      • GFI
      • Microsoft
      • VMware
    • Wireless
      • Aruba Networks
      • Cisco Meraki
      • Ruckus Wireless
  • Contact

What to expect when you’re not expecting (a security breach)

February 5, 2016 Leave a Comment

computer security breach

2015 was another difficult year for Cybersecurity practitioners and organizations working to defend themselves against an increasingly innovative, aggressive, and situationally aware set of adversaries. Large breaches made headlines, while many individuals and smaller organizations were victimized by well monetized crimeware[1] (especially ransomware[2]) and various email and other online account compromises.

We see susceptibility to social engineering, unpatched (vulnerable) software, and a lack of executive support for security initiatives rank as our clients’ greatest information security obstacles. Nearly all security professionals we speak to point to organizational challenges, namely the lack of executive buy in as their greatest concern.   Spoiler Alert: We wrote this post to try to get more executives engaged.

We often see how surprised (and angry) non-technical business leaders are at the state of their organizations information security posture after a breach or audit.   They honestly felt that “someone was taking care of it” and that their security was “good enough.” This gap can only be addressed by executive involvement as most executives will make appropriate security decisions if they have the relevant information and take the necessary time to understand the situation.

While more organizations seem to be recognizing the relationship between resource allocation, management involvement, and security outcomes, the shift seems to be a day late and about $15 million dollars short.[3]   (Read the footnote if you think $15 Mil was an arbitrary number.)

In trying to find ways to draw (or drag) more business leaders into the conversation, we’re advocating that all organizations take the time to develop (and/or refine) their incident response playbook.   This exercise has value both for the IT security organization as well as the executive team.

Defining roles and responsibilities is important in this process.   A scenario-based walk through of a significant breach often highlights skill and technology gaps, hopefully giving the organization a window of time to build an effective incident response capability in advance.    The IT security team needs to have a plan on how it will detect, contain, and recover from security failures.  The executive team needs to be emotionally, financially, and legally prepared to explain the situation to various stakeholders and defend the organization against a second wave of attacks. Customers, partners, employees, and other parties that may have suffered losses due to the organization’s security failure will likely have some involvement in the post-mortem.   This process often plays out in the media as well as the courtroom so all parties need to be prepared to publicly defend their decisions.

If you don’t expect to experience some type of security failure, you’re just not paying attention.

Expecting to suffer a security failure is not defeatist…   It’s a sign of intelligence and humility.   Some security failures involve a minor inconvenience….. a teachable moment that was promptly contained….   Others escalate into breaches that have catastrophic consequences for your career, your organization, and the public you serve.

Having and setting the right expectations is an important tactic because while some level of failure is inevitable; the scope, cost, and recoverability of that failure can vary greatly.   Aligning executive expectations to the realities of the organization’s security posture and incident response capabilities is an effective way to engage them in the process and increase their level of support for IT security initiatives.

Stay safe and feel free to reach out to us with comments on this article or questions about Information Security in general.

[1] A class of malware designed to carry out cybercrime.
https://en.wikipedia.org/wiki/Crimeware

[2] A type of malware that restricts access to a computer or data until the victim pays a ransom.
https://en.wikipedia.org/wiki/Ransomware

[3] Average Annualized cost of cybercrime per organization according Ponemon Institute 2015 Cost of Cyber Crime Study.
http://www.ponemon.org/library/2015-cost-of-cyber-crime-united-states

 

Filed Under: Backup and Disaster Recovery, Mobile Security, Security Updates Tagged With: breach, crime, cyber, data security, exploit, Malware, mobile security, patch, patching, ransomware, recovery, security, vulnerability

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

© 2023 Continuity Focus · All Rights Reserved · Privacy Policy

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT