HBR case study on data breaches
Boss, I Think Someone Stole Our Customer Data
The way Hoff puts it, sounds all too familiar. I can't count the number of times I've heard people talk about their systems and believe they're as secure as can be because they did one, some, or all of the following:
- Encrypted data
- X compliance/HackerSafe
- Disable unused services and close ports
- Penetration test
- Vulnerability scan (No, a vulnerability scan is not the same as a pen test, and an Nmap scan is not a vulnerability scan)
- Code Review
And then you say, "a determined hacker given enough time could break into it anyways." Ah! Should "good enough" be allowed in a security professionals' vocabulary?
Where was the Flayton's computer security incident response team (CSIRT)? The Secret Service was conducting surveillance to try and catch the perpetrator red handed. A competent CSIRT (not affiliated with any of the employees with access to the system) should have been on task right away to realize whether the affected cards was a result of a data breach at Flayton's. I agree with Jay Foley of the Identity Theft Resource Center in San Diego and think the CIO didn't have a grasp of the situation at all, before and after the incident.
CEO: "Are you saying, Sergei, that we're not actually PCI compliant?"
CIO: "We meet about 75% or so of the PCI requirements. That's better than average for retailers of our size."
CEO: "How have we been able to get away with that?"
CIO: "They don't scan us every day," Sergei demurred. "Compliance really is up to us, to me, in the end."
Yah, I think we really need to stop using compliance for needing security and doing security for compliance, and actually start doing security to be secure. A survey conducted recently of 250 CIO's and CISO's states 99% feel more secure this year than last. What??!blog comments powered by Disqus