Hopefully between the latest compliance requirements and NIST framework recommendations, you have come to the conclusion that you should be monitoring your network for threats 24/7/365. But what will you do if you detect one? Here are several examples of what NOT to do:
1) Don’t ignore every possible warning sign. Home Depot’s Senior Architect for IT Security had been convicted of sabotaging a previous employer’s network. Several Home Depot employees have testified that they were concerned about lax security controls and process and had requested additional training and equipment. Target’s threat detection tool picked up on the threat, but the internal IT security team chose not to investigate it immediately.
2) Don’t forget to consider the cost of inaction. Home Depot’s breach exposed over 50 million credit card transactions and their reported costs related to the breach for just the 3rd quarter of 2014 were $43 million. Target’s breach-related costs as of February 2015 had reached $162 million. Postage alone for required notification of affected cardholders was over $40 million for the Anthem breach, and healthcare fines that involve “willful neglect” start at $1.5M with settlements as high as $4.8M to date. Even for small businesses, the fines for not meeting PCI compliance start at $5,000/month and can reach $100,000/month for continued non-compliance with the latest requirements.
3) Don’t make claims of security that you can’t back up. Code Spaces, an online code repository for developers is the poster child for this mistake. After a hacker broke into their Amazon EC2 control panel and made extortion demands, the company simply changed the password for the credentials. Unfortunately for them, the hacker had already created backup login access and immediately deleted all data and backups. So much for the company’s claims on their website with promises of “full redundancy” and “code duplicated and distributed among data centers on three continents”. The fall out from their customers resulted in closure of the company within 12 hours of the attack. Test your disaster recovery and incident response plans to confirm that they will protect you in the event of an actual incident. And don’t forget the questionnaires you likely completed for your commercial insurer and/or top clients. Providing inaccurate information about your cyber security opens the door for denial of claims to cover damages caused by a breach and potential lawsuits if misinformation exposes data entrusted to you by others.