Incident response plans badly lacking, experts say
The Gawker Media breach goes to show that the time to put a security incident response plan in place isn't in the heat of the action.
By George V. Hulme
January 06, 2011 — CSO —
There were plenty of security lessons to be learned from the recent Gawker Media breach. One of the lessons that has been glossed over was the failure of Gawker to have a plan in place to deal with a serious security breach, as the company's chief technology officer Tom Plunkett admitted in his now famous memo:
"First, we never planned for such an event, and therefore had no systems, or processes in place to adequately respond. Our focus as a team (and company) has been on moving forward. This put up blinders on several fronts. As a result, numerous wrong decisions were made by me this past weekend in responding to the security breach."
When a breach of personally identifiable information goes public, whether it be financial, private health care data, or several million usernames and passwords dumped on the Internet: it's usually easy to tell which companies had a plan in place, and which organizations did not. Generally, those breaches where an organization has a security incident response plan in place unravel (publicly and internally) in a manageable and coherent way A breach is identified, investigated, and notifications and remediation services (if relevant) are sent to all those affected.
That is how it precisely does not go for organizations without a plan: news stories where conflicting information is published, and it quickly becomes clear that the business does not have a handle on the extent of the breach. Everyone starts to panic: the breached organization, its partners, and the affected customers. If the situation is bad enough even law enforcement and regulators will get vocal. Competitors start to salivate.
"It doesn't take long for these situations to fly quickly out of control when companies don't have an incident response plan in place," says Brian Honan, founder of Dublin, Ireland-based information security consultancy BH Consulting and Founder and lead of Ireland's first Computer Emergency Response Team.
If Daniel Kennedy, partner at managed security services provider Praetorian Security Group LLC is correct, more companies than not are flying without any plan at all. "Most firms, even large firms, aren't far long with their security incident response plans," he says. "Some large firms have a plan, but it's filed with the business continuity plan and rarely looked at."
Straight lines of communication
In the vast majority of the time, companies learn of breaches from partners, customers and others with which they do business. Those partners, explains David Mortman, contributing analyst at security research firm Securosis, will call whomever the contact is that they have on file. That could be anyone from a high ranking executive to a product management or clerk somewhere within the organization. "Once that happens, these things go sideways quickly," Mortman says.