by Rocco Grillo
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice
The recent uptick in retail data breaches is significant for all companies in a couple of important ways. First, it is important to point out that some of these highly publicized breaches have occurred at companies that were “PCI compliant.” Second, just when it appeared that the breaches had become as widespread as one could imagine, the continued line of additional companies falling victim has gotten larger, with no end in sight.
Furthermore, law enforcement investigators have indicated that there are many other organizations that have been compromised – the only difference is that they don’t know it yet.
It’s becoming painfully apparent that there is no such thing as penetration-proof data security. It’s no longer even enough to assume that you CAN be breached. We advise companies to conduct exercises that simulate that they have been compromised, and to focus, going forward, on how to address vulnerabilities and minimize the damage through rapid detection and response – both in containing the breach and in communicating with customers, employees, shareholders and the media.
Further to identifying potential areas of compromise, organizations need to transition from being reactive with their incident response plan and create a “proactive response” to potential compromises. This should include enhancing response plans, testing them through simulated tabletop exercises, conducting simulated forensics investigations to determine “the unknown,” and ultimately having partners aligned in advance of a potential attack or compromise.
That’s not to say that vulnerability and penetration testing aren’t important. It’s critical for organizations to understand where they are vulnerable and establish strong security processes and measures to ensure data remains safe.
But as we explain in our Point-of-View paper, High-Value Targets – Retailers Under Fire, security is a lot more than having a strong firewall. It must be applied to all layers in the organization, not just the “outer shell.” The right security best practices can identify and disrupt a cyberattack at the perimeter and also prevent a data breach, even if the attacker gets past the first layer of defense.
It’s frightening to consider how many companies are still relying only on fixed-point-in-time data security methods, such as penetration testing. As we found in our just-released 2014 IT Security and Privacy Survey, many companies don’t even have a written incident response plan. Among those that do, many have plans that are out-of-date or not mature, and too few rehearse and drill it to perfection through table-top exercises or simulated forensics investigations to help address the all-too-common questions coming from the board: Are we prepared to respond to an attack? Are we secure?
This is akin to a football coach who devises a trick play and tells his players all about it, but neglects to have them run the play at practice. Imagine the chaos that would ensue if they decided to run that play in a big game. Needless to say, the fan base would not like what they see!
Practice makes perfect.
Going forward, we need to assume that breaches are inevitable. I’d go so far as to suggest you assume that your organization has already been breached. That assumption puts you in immediate response mode and adds urgency to subsequent efforts to address the issue. Believe it or not, many organizations don’t figure out that they’ve been hacked until weeks, or months, after the intrusion.
Given the ubiquity of data breaches, organizations are going to be judged not by their ability to prevent an attack, but by the speed and efficacy of their response.
You have your board’s attention and directors want to know: Are you ready to respond? Are we secure? Are you sure? How do you know? If any of these questions give you pause, it’s time to up your game. Now more than ever, the bad guys are more sophisticated in attack techniques and with the holidays ahead, we’re entering the busy season for data theft. It may give “Black Friday” a new meaning in the retail industry.