The phone rings, and it’s your information security officer—or worse, law enforcement—with bad news. Your company appears to have experienced a data breach. Information that is protected by law or that belongs to a client has been found on the Internet.
At this point, you are in one of three positions:
• Unprepared. You haven’t been paying attention to information security. You have not received reports or if you have received them you haven’t reviewed them.
• Shaky ground. You have received reports and briefings on the state of your security, and you have accepted the information at face value hoping your company’s information assets are secure.
• Ready. You have been briefed regularly on potential weaknesses, you know what your company has done to minimize points of exposure and you are able to answer confidently.
To get into this last category, ask the following questions of managers who are responsible for technology and operations:
To understand the points of impact, ask:
1. What would happen if you came into work tomorrow and couldn’t get to anything on your computer network? No access to email, client files, financial systems, or HR information?
To understand the probability of an event, as well as how your company’s attention to security may be perceived after an event, ask:
2. Do your employees receive training on how to identify and report a potential security incident?
3. How do employees know to securely dispose of sensitive, protected or confidential information?
To understand your technical defenses, ask:
4. Where is the most valuable or sensitive information in the company? Who can copy or tamper with that information?
5. Do we use encryption to protect sensitive data on our network, on backup media, in databases and on mobile devices?
6. When I need to send sensitive information via email, how do I do that? (Hint: It isn’t by sending it via regular email. Everyday email is not secure.)
7. What were the results of our last incident response drill?
8. What logging/monitoring is in place? Can an intruder modify the logs? How long is log data retained and how quickly is it available during an incident response? The majority of data breach incidents remain unnoticed for three months or more, and the mean average time in 2012 was more than 200 days. Accessing log files quickly in an incident is critical to knowing what was and wasn’t exposed, as well as avoiding a “CNN moment” where the world is asking, “Why did they take so long to notify the victims?”
9. When did we last test the ability to restore from backup? It sounds simple, but you would be surprised to know in reality how many times a company has relied upon backup data only to find that the backup data can’t be restored. The daily warning message from the backup server is overlooked, or a false “successful” message is blindly trusted. Ensure that your IT department regularly restores more than a single file from the backup to test the efficacy.
10. Have you had a penetration test, information security audit or vulnerability assessment in the past year?
• Did it include your website, wireless networks and mobile devices?
• What recommendations that resulted from that exercise were implemented, and which are outstanding?
If the answers you receive are not certain or leave more questions, ask again or ask someone else until you fully understand. After all, the media will be asking you. You’ll need to know the answers and sooner is far better than later, in the event of a data breach.
Deena Coffman is chief executive officer of IDT911 Consulting.
The phone rings, and it’s your information security officer—or worse, law enforcement—with bad news. Your company appears to have experienced a data breach. Information that is protected by law or that belongs to a client has been found on the Internet.
At this point, you are in one of three positions:
• Unprepared. You haven’t been paying attention to information security. You have not received reports or if you have received them you haven’t reviewed them.
• Shaky ground. You have received reports and briefings on the state of your security, and you have accepted the information at face value hoping your company’s information assets are secure.
• Ready. You have been briefed regularly on potential weaknesses, you know what your company has done to minimize points of exposure and you are able to answer confidently.
To get into this last category, ask the following questions of managers who are responsible for technology and operations:
To understand the points of impact, ask:
1. What would happen if you came into work tomorrow and couldn’t get to anything on your computer network? No access to email, client files, financial systems, or HR information?
To understand the probability of an event, as well as how your company’s attention to security may be perceived after an event, ask:
2. Do your employees receive training on how to identify and report a potential security incident?
3. How do employees know to securely dispose of sensitive, protected or confidential information?
To understand your technical defenses, ask:
4. Where is the most valuable or sensitive information in the company? Who can copy or tamper with that information?
5. Do we use encryption to protect sensitive data on our network, on backup media, in databases and on mobile devices?
6. When I need to send sensitive information via email, how do I do that? (Hint: It isn’t by sending it via regular email. Everyday email is not secure.)
7. What were the results of our last incident response drill?
8. What logging/monitoring is in place? Can an intruder modify the logs? How long is log data retained and how quickly is it available during an incident response? The majority of data breach incidents remain unnoticed for three months or more, and the mean average time in 2012 was more than 200 days. Accessing log files quickly in an incident is critical to knowing what was and wasn’t exposed, as well as avoiding a “CNN moment” where the world is asking, “Why did they take so long to notify the victims?”
9. When did we last test the ability to restore from backup? It sounds simple, but you would be surprised to know in reality how many times a company has relied upon backup data only to find that the backup data can’t be restored. The daily warning message from the backup server is overlooked, or a false “successful” message is blindly trusted. Ensure that your IT department regularly restores more than a single file from the backup to test the efficacy.
10. Have you had a penetration test, information security audit or vulnerability assessment in the past year?
• Did it include your website, wireless networks and mobile devices?
• What recommendations that resulted from that exercise were implemented, and which are outstanding?
If the answers you receive are not certain or leave more questions, ask again or ask someone else until you fully understand. After all, the media will be asking you. You’ll need to know the answers and sooner is far better than later, in the event of a data breach.
Deena Coffman is chief executive officer of IDT911 Consulting.