This may be several people, including your CEO, CIO, CISO, IT director, security manager, legal counsel, compliance officer, and HR director. The concept of bystander apathy – where everyone assumes the other guy is going to do something – is rampant in business today. Many people are afraid to take responsibility for information security because their heads are on the chopping block. Look for people who are willing to step up, give them the resources they need, and let them do what they’re good at – which should be communicating what’s at stake in terms that others can understand in order to minimize information risks.
Document response procedures.
In over 12 years of performing information security assessments, I’ve seen two (yes, two) businesses that had a security incident response plan. Like life insurance, seat belts, and other “security niceties” that some feel nonessential, an incident response plan will enable you and your business to detect and respond to security breaches in much more expedient and professional fashion. Apparently, Target discovered the breach relatively quickly. How quick is your response going to be?
Decide what constitutes an “incident” (i.e. malware infection and subsequent credit card breach), then determine the people and steps that need to be taken to properly respond. An incident response plan won’t help prevent a breach but it will help you minimize the impact of a breach and that’s what matters the most.
Go beyond your security policies and implement the right tools to bring things full circle.
Most security policies are like New Year’s Resolutions: they’re worthless about 10 days after they’re written down. If you’re going to effectively minimize your information risks, you have to know what you’ve got, understand how it’s at risk, and implement reasonable technologies to ensure everything is kept in check. I suspect we’ll continue to see that Target was remiss in all three of these areas. Most businesses are.
Never ever forget my favorite information security saying: you cannot secure what you don’t acknowledge. In the context of the Target breach, if you don’t a) acknowledge how your vendors treat security and interact with your network, b) know how information flows through your network, c) account for the people and system processes that access large volumes of sensitive information, d) understand what tools are necessary for locking down sensitive information (even it’s it stored in computer’s memory for mere seconds), and e) proactively monitor your environment, a breach will eventually occur. And, like many breaches today, you may never even know about it until a third-party tells you it happened.
Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 24 years of experience in the industry, Kevin specializes in performing independent IT security vulnerability assessments of networks, computers, and applications. He has authored/co-authored 11 books on information security including the best-selling Hacking For Dummies as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com, follow him on Twitter at @kevinbeaver and connect to him on LinkedIn.