The Sony Breach "PR Car Crash" - are they alone?

Security-wise

Having worked in the payment card industry for the last decade, the different approaches we've seen can fall into several categories, but the two that we're focusing on here are:

1. Doing just enough to meet compliance objectives. Quite a few businesses in the early days of the Payment Card Industry Data Security Standard focused on just doing enough to satisfy compliance.  In fact quite a few would try to do a lot less.  There are various reasons/excuses why organisations would take this approach (budget, profitability, managment decree etc). These are the businesses that are termed "the low hanging fruit" in the industry.  They are the easiest companies for attackers to hack and extract cardholder data. 
2. Securing the customer data because it forms the lifeblood of the business.  Treating compliance requirements as the minimum level of security that would need to be in place to protect their customer data, these businesses are focused on their security, knowing that complaince will come as a by-product of that effort. Great to work with as they have understand the importance of protecting their customer data, their assets, these organisations are considerably harder to compromise.  Defence in depth, excellent security operation management, management and board-level support are a few of the attributes that are common in these types of organisation.  

Image by Alamy. 

Education-wise

How well do your staff understand data security and the threats to your business?  Our finding is that most orgaisations have a basic level of understanding of data security inherent in their workforce, such as don't write your password down.  Unfortunately very few do a great job of actively educating their staff.  A cyber-security strategy needs to incorporate the end-user as attackers will always look for a chink in an organisation's armour - identifying that weakest link is a lot easier when the organisation's staff are ignorant of the threats to the business.

Management-wise

Management buy-in is one of the most imporant parts of a cyber security strategy.  Ensuring that C-level executives understand the threats to the business (and usually their jobs) is essential in forming an effective cyber-security strategy - thinking budgets, headcount, technology, education etc.  A security manager without management buy-in can be likened to a boxer getting into the ring with one or both hands tied behind his/her back to fight a highly trained and experience opponent - and still being expected to win.  Its unlikely to work out...

Response-wise

Incident Readiness and Response Preparation.  Preparing for the attack and breach of defences is a crucial part of a cyber-security strategy and needs to be taken *very* seriously. We've seen all the headlines this year with all the big names being compromised (Home Depot, Bebe, UPS, Sony, Niemann Marcus, Dairy Queen and a lot more). Let us assure you that it is not only the big names getting hit - it is ALL manner of organisations.  And they are certainly not limited to the US (although with the disclosure laws in the US, we hear about them a lot more).  Our forensic business has had its busiest year yet, with our caseload more than doubling the previous busiest 12 months.  

We believe that every business should be preparing for the day that they have a breach - they need to know what they are going to do to manage the situation, how quickly they react will be critical in defending their business from further damage.

Incident Response Planning

Our experience in the forensic field has taught us that most hacked organisations do not have effective security in place. In addition, very few have even a basic Incident Response Plan in place. They all assume that it will not happen to them.  Unfortunately experience has shown that it does happen to them - and it could happen to your business too.

To assist you in building your Incident Response Plan, we have created a free Incident Response Planning Guide that outlines some of the key steps that an organisation needs to take to build an effective Incident Response Plan.