Most organizations assumed a data breach begins when a hacker penetrates their network.
But it actually starts long before — with the cumulative bad security habits, badly coordinated mergers and acquisitions, budget decisions that saved on security and bad choices like relying on outdated equipment or not deploying security patches.
In this way, a breach can be a good thing because it wakes everyone up — it serves as the greatest security awareness exercise possible. When a breach occurs, everyone is interested in information security for a brief duration — from the incident response and mitigation teams to public relations.
In this disaster-movie atmosphere, there’s a need to be rescued. The organization often enlists a team of cybersecurity experts to build attack timelines for the complete incident response. Then there’s the expectation that the infection and adversary will be ejected from the environment and that the crisis has passed.
Back To The Future
During the heat of the initial breach response, internal turf wars temporarily stop, and there is unity and clarity. The company becomes laser-focused on data protection, and budget for security also generally becomes available.
But following this period of heightened security awareness, problems may emerge, and old ways return. There is a limit to how much security can be absorbed into the environment. You might encounter a "gold rush mentality" where the funds allocated for security attract those seeking your business. And for the C-suite, there’s danger in putting a cinematic "The End" on a breach. By becoming complacent and returning to old habits and poor choices, it’s not the end but another potential beginning.
The breach didn’t begin when hackers charged through the door. It started when security wasn’t a priority, or when the company publicly talked about it as an important priority but real support and cooperation weren’t there. It began with the oversights and the lack of funding and prioritization of resources — but not the resources for security and privacy. It may have stemmed from focusing too much attention on compliance — even when those actions actually harmed security by focusing resources on ideas instead of actual capabilities that can assist the defenders. Why? Failed audits can mean lost bonuses for management, while poor security capabilities initially produce only irritation.
How do you prevent another security incident? A first step is to build awareness that you can't have world-class information security without world-class IT. And you can’t protect your organization without decisive decision making, coupled with conviction on how to manage risks (like visibility gaps, mergers and acquisitions, and observations about incidents).
No one cares about protecting your data as much as your own people. While it’s great to have saviours on call during a breach, what you really need is security experience as an integral part of your organization's DNA for effective incident detection, analysis, and response, and they should be trained and retained.
Make security a habit and a state of mind across the organization — from the C-suite to every level of the organization. By returning to the status quo, you may be leaving the doors and windows open to your IT environment or a risky cloud migration, where cyber threats could appear again.
Finally, roll all of this up into a three-year security plan, even if you don’t have the budget today. Include strategies that can best detect, disrupt, and respond to a cyber attack — all ideally based on your real observations, not auditors' workbooks.
And include effective plans for coordinated incident response to mitigate damage, along with cross-functional teams for critical steps such as your public response. When it comes to protecting your brand, sales, and customers’ loyalty, you’ll be judged more on your response than on the breach itself.