Security

Data breach lessons: How to rewrite rules

Lessons learned from a data breach -- embarrassing publicity and all -- are sometimes the most enlightening because they show you how to fix security holes

As embarrassing and costly as a big data breach might be for an organization, many security professionals will tell you such an incident can be good news in the long run for a business's risk posture. Sometimes even after numerous warnings from security and risk advisers, the only way for senior managers to sit up and pay attention to a set of risks is to have an incident from that risk detailed blow by blow in the business press.

"Once an organization has gone through all that pain, they're forever changed," said Lucas Zaichkowsky, an enterprise defense architect at AccessData. "Your whole outlook changes."

 For all of the problems that breaches bring, they also present a learning opportunity and potential for developing better processes that improve the day-to-day effectiveness of IT security. But that growth can occur only if organizations spend the time to thoroughly analyze the event to find the fundamental risk factors that contributed to a compromise.

 "If you haven't taken the time to figure out what's wrong in your program or your technology, then it's pretty natural that it's going to happen again," says Vinnie Liu, managing partner for security consulting firm Bishop Fox.

Unfortunately, some organizations today tend to engage in a type of whack-a-mole brand of incident response, responding to breaches and malware outbreaks only by cleaning up systems affected by the incidents but never delving into root causes, says James Phillippe, leader of threat and vulnerability services for the U.S. at Ernst & Young. Meanwhile, he says, "the root cause -- weak network controls, poor user education, weak policies, or perhaps improper architecture configurations -- will persist."

On the other end of the spectrum, many organizations recognize that they can't simply clean up systems after a breach and carry on as before. But because they react quickly without analyzing why things went wrong, they end up wasting a lot of money. And then they still end up breached again.

"I think a lot of recidivism stems from the knee-jerk reactions," Liu says. "You see something wrong, you buy a bunch of tools, you drop them in place, and you think you're safe."

This is why leveraging a breach for more executive buy-in, budget, and meaningful change requires you to use that event "in a balanced manner, not in a panic attack," says Robert Stroud, international vice president of ISACA.

Once a thorough post-mortem is done, he recommends either using an existing risk model or developing a new one and running the operational and financial impacts of the breach outcome through that model to understand how that changes risk calculations. From there, an organization can more clearly understand if it needs to only change a few controls, or if it needs to make a major overhaul in security processes.

"More often than not, we see organizations go, 'Hey, we've got to do something about that, let's just do it,' and they start executing immediately," Stroud says. "Organizations will go without any assessment, and spend significant money on potential vulnerability without any understanding of the business impact or risk exposure, potentially costing their business significant money. It might be more money than the risk itself."

 As the experts have explained, establishing the new normal following a breach is going to take post-mortem analysis, and it's also going to require changing risk models. But, more significantly, it is going to involve sustained investment. The cost of upping the security game is easy to overlook amid all of the more picayune line-items of breach response, but process improvement should be part of the overall response budget once a breach has come to light.

 "People talk about overlooking the cost of credit monitoring, reporting, fees, and things like that," Liu says. "But from what we've seen, I think some of the biggest investments that have to be made over the long term following a breach is for changing process."

 

About Author

Ericka Chickowski

Ericka Chickowski is an experienced business and technology journalist who specializes in coverage of IT security, regulatory compliance, business alignment, project management and IT employment.

In addition to her work for Dark Reading and InformationWeek, Chickowski’s perspectives on technology have appeared in a number of trade and consumer magazines, including CIO Insight, Baseline, Entrepreneur and Consumers Digest. She has covered the IT security industry extensively over the last six years, gaining particular insight and expertise while working as the West Coast bureau chief for SC Magazine. Chickowski graduated with a B.A. in English from the University of Washington and currently resides in San Diego. Readers may contact her at ericka@chickowski.com.

comments powered by Disqus

Subscribe for Newsletter

Stay connected to the best business technology content every week. Subscribe to our daily newsletter now!

Slide Shows

Upcoming Webcast

Business Models in the Black Market

Join RSA for this upcoming webcast as we take a deep dive into the latest business models in the black market. By attending, you will learn about: The latest cybercrime training services being offered to new fraudsters, The alliances being formed across various underground forums and its impact New economic models being applied for payments and cashout among cybercriminals Speaker: Eli Marcus Senior Writer, Fraud Action Knowledge Delivery team, RSA Date & Time: July 31, 2014, 3:00pm India Time