There Has Been A Breach! Relax!

Massive data breaches continue the make the news. The response by firms in the same markets/industries as the latest victim are predictable: a frantic quest to “get secure” before they become victims too. Sadly, this focus on speed over substance is almost as bad as doing nothing at all. It is not that organizations who fear for their digital safety should not take steps to harden their IT enterprises against attack, but trying to improve security in a rush does not necessarily mean you will not be a victim. The fact of the matter is that you are probably already a victim; you just don’t know it yet. The Verizon data breach report - and other reports like it - tells the same story year after year: victims don’t know they are victims for months, and they only find out after someone else tells them.

Regardless of what kind of service provider you try to engage in your quest to avoid becoming the next news headline, no one is going to get you “secure” in a few hours or days. Anyone who claims to be able to do so is not selling “security” they are selling “compliance” and compliant companies fall victim to successful hack attacks all the time.

All this does not mean you should not do something, just do not feel like you need to do it all RIGHT NOW. Come up with a plan (or dust it off) and execute smartly:

  1. Understand what it is you are trying to protect. Do you know what your IT enterprise looks like in the real world? Not what it looks like on a PowerPoint slide: all the hard, nasty, ugly parts that don't lend themselves to graphic abstraction. It is hard to defend what you do not know you have, or when you think you are dealing with X when you are really dealing with Q.
  2. Prioritize data and vulnerabilities. Not all systems or data in your enterprise are created equal. Losing pricing data is an annoyance when compared to the loss of PHI. A vulnerability that is "critical" per a vendor or vulnerability researcher might not pose a critical risk to your enterprise because of how it is configured or interacts with other systems. Focus on the things that are critical to you.
  3. Test your defenses and responses. Once you have addressed your vulnerabilities and adjusted your defensive mechanisms (firewalls, anti-virus, etc.), subject your enterprise to a proper offensive test. Not a compliance scan, not some half-***ed pen test. The more comprehensive and realistic the test the more you will understand what it takes to defend yourself if you are ever targeted by a serious adversary. Lather, rinse, repeat.

Sympathize with your contemporaries across town or across the country who got hacked, but do not shoot yourself in the foot by trying to achieve an unrealistic goal in an impossible time-frame.