Hackers never sleep--as Citigroup can certainly attest to, having its consumer information twice hacked in a span of only three months. While we are counting sheep, the bad guys are of course looking for a way in, lurking and waiting for a vulnerable minute to strike. And all too often, this happens to organizations that have fallen victim beforea little like rubbing salt in an open wound.
So what actually happens when the bad guys finally "strike gold" and are able to compromise your security? Where does this leave you? And perhaps most importantly, what can you do to ensure that you won't fall victim again?
After a fraudster's initial attack, you may start to panic, but don't. Remember, there are more companies that will experience a hack than not. Chances are good you will be left bewildered with sentiments such as 'Why us?' or 'I thought we were completely safe.' If you don't feel this way, your higher-ups most certainly will and so will your consumers, media and employees. Their questions and concerns won't stop coming. To immediately respond to these concerns and, obviously, lock down where the breach occurred and make sure it doesn't happen again, it's important that you have an incidence response process in place.
I'm guessing you already have an incident response plan in place. And that's great-keep it.
But as was the case with Citigroup, where attack number two was completely unrelated to attack number one, swift incident response isn't enough. Yes, you need to close that hole and even further, ensure it can't happen again. But to prevent other kinds of future attacks, you need more than that. You need proactive risk management across your enterprise.
Typically, this process starts with a high-level evaluation of your business itself. Without a solid understanding of your core business processes and the identification of IT assets, sensitive data, personnel and facilities that are potentially at risk, you won't have a framework for determining where your risk lies. It doesn't really matter what fancy security technologies and processes you have in place if you are haphazardly applying them to the wrong business interests.
Once you understand the actual elements that comprise your business and their general criticality, it's important to look at your current operational and security processes in place. Do you have an effective patch management process? Are your deprovisioning processes ad hoc? Where is there room for improvement in what you've got already? These are usually the areas where typically the most impact can be made from a risk mitigation perspective-not necessarily investing in new technologies.
Another area to examine is third-party vendor standards. Most organizations are a nebulous web that includes many third-party contractors and consultants whose IT security standards might not be up to par with the parent company. This ultimately leaves both the parent company and third party open to potential attacks, similar to what we've seen happen time and again when organizations are targeted multiple times.
An incidence response plan is obviously critical. But even more important in the game of prevention is comprehensive risk management. Think of it this way: If someone breaks your window to enter your house, absolutely you should repair the window. But to really prevent someone from robbing your home, you should also strengthen the locks on your doors and install a security system.