Imagine the scenario: Your network has been penetrated and sensitive data has been exposed. From a public relations mess, to an expensive forensics analysis, to improper handling of breach notifications, to those affected — everything that could have possibly gone wrong has taken place in the aftermath of the breach.
Soon thereafter, your clients and business partners discover what was going on and you end up getting sued. The expert witness for the plaintiff’s attorneys has provided guidance as to what could have been done to prevent this data breach — the systems and controls that should have been in place — as well as how things should have been handled once the breach was detected.
The plaintiff’s legal team sends over document requests asking you to produce the following:
• your security policies;
• your security standards for passwords, secure software development practices, data encryption and security vulnerability testing;
• security procedures including your security incident response plan;
• network diagrams, information flow diagrams, and information classification documentation; and
• security awareness plans including attendee lists and/or electronic training/testing records from the past year’s education sessions; and the latest information security assessment report or audit.
Are you prepared to produce such documents? This is likely the least painful part of the process. If the legal proceedings get to the point of tough questions being asked in interrogatories, depositions and possibly even a court appearance, a seemingly simplistic lack of security can weigh heavily on you and your business if you are not prepared.
Do not take this the wrong way — I am not trying to sensationalize this risk, but I also don’t want to trivialize it. I am seeing these very scenarios in my work, and the reality is, you likely have security flaws on your own network — in your Web applications and databases and on your mobile devices — at this very moment. Furthermore, lawyers are becoming more savvy regarding IT and information security issues, so the likelihood of such an issue continues to grow. The question becomes not if, but when are the security flaws in your environment going to be uncovered? Will the exposure be an inside job? Will the flaws be uncovered by random or targeted attacks from the outside?
Data breaches are a common occurrence in businesses just like yours. Simply look at the Privacy Rights Clearinghouse’s Chronology of Data Breaches at www.privacyrights.org. More than 500 million sensitive records have been exposed in the United States in the past six years alone. Practically every day, there is something new, and I strongly believe these breaches are just the tip of the iceberg. But there is more to it — what about the breaches that go undetected and unreported? What about intellectual property and other sensitive business information that’s not included in such studies?
As the old Chinese proverb goes, you need to dig your well before you’re thirsty. Think long-term and understand that a data breach or related security incident could end up on your lap one day. This is going to require you finding out where your information systems are at risk and putting the proper systems and controls in place to minimize — not eliminate — but simply reduce the risks. You need to step back and ask some tough questions. In particular: Are we truly doing everything we can to minimize our information security risks? Look at your environment and ask: If our information security was nearly perfect in every way, how would it be different from the way things exist right now? What would you have more or less of? If you look in the right places you will find the right answers.
In the end, you cannot fix — nor secure — what you don’t acknowledge. Nor can you change the security weaknesses you tolerate.