Diebold Inc. has a pretty straightforward security business continuity plan when a skimming device is discovered on one of its automated teller machines: It has the bank customer remove the device from the machine and turn the device itself and the ATM video over to authorities.
More security strategy tips
"The key is planning in advance, educating the branches and consumers so they recognize when something isn't right, and then taking the right action," said Chuck Somers, vice president of ATM security for Diebold, a Canton, Ohio-based ATM manufacturer.
Having a business continuity plan checklist in place for security incidents might sound obvious. But Diebold's contingency plan for its customers is more the exception than the rule, according to Laura Koetzle, vice president and practice leader for the Infrastructure and Operations and Security and Risk groups at Cambridge, Mass.-based Forrester Research Inc.
Organizations have tight security policies and technology in place to prevent a security hack, Koetzle said, but a business continuity plan for security is often overlooked.
"It should really be like a business continuity or disaster recovery plan. Just as your people would know what to do when a power outage or hurricane occurs, they should be clear on exactly how to respond to a security incident," she said.
A standard incident response checklist shows IT which systems to shut down and whom to notify, Koetzle said. "A checklist has to show IT the flow of who exactly does what and in what order." Critically important is that everyone is "following the same playbook."
Having a plan has become even more important with the increasing use of mobile devices to carry on company work. Such technology as client-side virtualization helps to lock the data down, Koetzle said, but at the same time, an influx of mobile devices has made the data attack surface bigger for the business.
The best-laid plan for IT is to let the business determine which type of data would be the "most toxic" to the business if it were compromised. Then IT should let the business be its guide as to where security walls should be shored up the most, she said.
In terms of planning ahead, Koetzle recommends that security be made just annoying enough for hackers that they move on to the next target. It might be cruel, but think of it as survival of the fittest. "It's not that you have to run faster than the bear. It's that you have to run faster than the other person the bear is chasing," she said.
Crafting a business continuity plan that minimizes damage
There is another reason why business continuity plans for security incidents are so scarce, said Jeff Schmidt, founder and CEO at cybersecurity consulting firm JAS Global Advisors LLC in Chicago. The breaches that get the most publicity involve large targets, such as Citigroup Inc., RSA Security LLC and Epsilon Data Management LLC. That fact could persuade some midmarket and small businesses that they somehow are immune to large-scale attacks -- an unfortunate fallacy, he said.
"With all the breaches and disclosures occurring in the last two years and with so much data out there now, it's hard not to encounter a scenario in which you become a target, no matter how big or small you are," Schmidt said.
Data is very easily monetized, and most security attacks are crimes of opportunity, akin to a mugger looking for an easy target on the streets, he explained. "It's easy for a criminal to steal 10 to 20 Gmail credentials or employee Social Security numbers off of Wi-Fi. Email, personally identifiable information, all sorts of data have value," he added. "It's not 'what if it happens,' but 'when will it happen' -- and how much damage it does all comes down to the response."
Still, planning for every possible security-breach scenario is not only beyond the means of small and medium-sized businesses, but impossible for them. Schmidt advises that a security business continuity plan focus on two response tactics:
- A customer confidence or public relations course of action.
- Technical counter attack measures.
The classic example of how to respond to a disastrous incident is Johnson & Johnson's response to the Tylenol crisis, Schmidt said. When it was discovered that some bottles of the company's popular pain medicine had been laced with cyanide, it recalled the product and informed the public of the corrective actions it had took.
An example of how not to approach a crisis is the hack that compromised Sony Playstation. "[Sony] downplayed the network compromise and dribbled out bad information that just got worse," Schmidt said.
Customers need to hear from the highest levels of the company about any kind of attack that could affect them. Schmidt recommends a personal message from the owner or CEO to all customers who are feeling the impact of the breach that explains exactly what the business is doing to address it, he said.
An important part of the incident response plan
In fact, because midmarket companies often rely on a small number of key clients, it can be even more crucial for them to have well-thought-out incident response measures. "What I've seen happen is that inconsistent messages go out to the customer. They might find out what's happening from customer support, a sales engineer or security administrator; the wrong information gets out and it gets out in an inconsistent way," Schmidt said.
That fix-it-fast mentality is almost always at odds with a law enforcement or regulatory response.
In addition to the message not being controlled from the top down, another problem is a shortcoming on IT's part: Its instinct to fix a security breach immediately. The problem with this approach is that evidence can be overlooked or even erased.
"That fix-it-fast mentality is almost always at odds with a law enforcement or regulatory response," Schmidt said. He has seen the consequences firsthand. One business was sure the hack had come from the outside, but an investigation later discovered that an internal employee had had a hand in the breach. By the time law enforcement went to take action, the evidence was lost.
"There will be a point in which you'll want to take disciplinary action or turn over evidence, but the data to prove your case will likely be destroyed or at least contaminated," Schmidt said. The best course of action is to have a clear "chain of custody" of the attack in terms of evidence and how that evidence is maintained.
Midmarket companies also should know in advance where they can go to get help in the event of a breach. Midsize utility, transportation, banking and medical providers are industries that fall under the category of the U.S. government's Critical Infrastructure Protection Program. Such businesses can reach out to the Department of Homeland Security (DHS) or the Federal Insurance and Mitigation Administration (FIMA) for help. It's just a matter of knowing who to call, Schmidt said.
"Every city has a local FIMA and DHS representative. If it's a crime, there are also local FBI branches," Schmidt said.
The FBI also has local networking events under its InfraGard program, which sponsors local meet-and-greets and seminars conducted by local, state and federal law enforcement agencies. The U.S. Secret Service's Electronic Crimes Task Force has local contacts, and most city police departments have a white collar or computer-oriented crime division. CIOs should get to know some of these people on a first-name basis, Schmidt advised.
"The thing is to not only know who your local contacts are but to call or meet them before something happens," Schmidt said.