Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/24/2014
04:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Incident Response Fail

Fortune 500 companies with incident response teams and plans in place are pessimistic about their effectiveness amid a climate of data breach domination.

Just because you have an incident response plan and an incident response team doesn't mean your organization is ready for a data breach.

Nearly three-fourths of US Fortune 500 companies now have set up incident response plans and teams in preparation for cyberattacks, but only one-third of them consider their IR operations actually effective in the face of a data breach, according to a new study.

The good news is that companies are creating IR plans and teams more than ever: 73% of Fortune 500 firms this year have IR plans versus 61% last year, and 72% this year have formed IR teams versus 67% last year, according to a new report by the Ponemon Institute. The bad news is that most of their C-level and above executives don't feel ready to handle a data breach and its fallout: 68% say their company would not be able to handle negative publicity in the wake of a breach, and 67% say their organization does not know the steps to take after a breach to ensure loss of their customers' and business partners' confidence and trust.

"They are more prepared, but not practiced, in data breach response," says Michael Bruemmer, vice president of data breach resolution at Experian, which commissioned the report on data breach preparedness. "Despite increased awareness, the business leaders who responded [to the survey] are not necessarily confident in their company's response."

Why the long faces? It could well be the constant wave of high-profile breaches -- mainly major retailers -- that has dominated the news this year, or maybe organizations have finally reached the acceptance phase of the inevitability of being breached. "Honestly, I think the Target breach was a watershed moment for those people saying 'it won't happen to us.' It happened at a very bad time for Target--right before Christmas and the holiday shopping season," Bruemmer says.

Target had a large security team, state-of-the-art security tools, but still got burnt. "Data breach preparedness is a team sport, not a compliance exercise," he says. "Just having a plan in place is not enough... It's about rebuilding brand reputation... That is part of the concern reflected in the results of this study.

So why are aren't Target, TJ Maxx, and others sharing their war stories to help the next potential victim?

Radio silence is the common aftermath of a big data breach. "Nobody has been talking about how to handle a breach. I hate to say it but Target, Home Depot, and other companies have been [noticeably silent there]. I haven't seen a lot of 'here's how we handled it, best practices and what we've learned," says Sean Mason, global incident response leader at CSC.

The lack of postmortem discussion is likely due to corporate legal teams urging silence rather than full disclosure. "I don't know if it's a liability thing" for these companies, Mason says. "But the large CERTS and SOCs that are more established and who know their stuff inside out and have gone through battle after battle speak out at conferences," he says.

Lockheed Martin, for instance, went public with how its renowned "kill chain" security architecture helped it detect and shut down an intruder in its network using legitimate credentials, including a stolen SecureID token in the wake of the RSA breach. The attacker used valid credentials of one of Lockheed Martin's business partners, and got caught red-handed when the defense contractor's security tools detected uncharacteristic data access by that user.

[A rare inside look at how the defense contractor repelled an attack using its homegrown 'Cyber Kill Chain' framework. Read How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack.]

Peter Clay, CISO at CSG Invotas, says given that companies that were fully compliant with their industry standards (think PCI) and regulations still get hit, the market is moving toward data protection rather than pure compliance driving enterprise security strategies. "The impact on their business was signficant," Clay says of the retailers that have been hit in the past year. "There are executives losing their jobs."

Having an IR plan in place isn't enough, either. Organizations need to practice deploying incident response plans with regular simulations, akin to fire drills.

"So it's great you have a plan. But a plan is just guidelines... a template. That's not the answer, especially if you don't have people practicing it day in and day out," CSC's Mason says. "We've seen a lot of customers not necessarily asking for help in the IR plan, but on tabletop exercises" for it, he says.

To top it off, there's very little review and updating to existing IR plans: nearly 40% say they haven't reviewed theirs since they created it, 41% have no set timeframe for reviewing it, and 14% say they review theirs yearly, according to Ponemon's report.

Source: Ponemon
Source: Ponemon

Of the more than 560 respondent firms, 43% said they had experienced at least one breach in the past 12 months, up from 10% from the same survey conducted by Ponemon in 2013.

The full Ponemon report, "Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness," is available here for download. Meanwhile, data security will be a front-and-center topic next week at Interop in New York City.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
microsole
100%
0%
microsole,
User Rank: Apprentice
9/24/2014 | 11:22:55 PM
Data Breach Acceptance
I agree with Michael Bruemmer that there has been an increase in data breach preparedness and awareness but where's the data breach acceptance? In my experience some executives still haven't accepted that a data breach may likely occur and some even have difficulty accepting that a breach has occurred. You're on the right track when the CEO knows the data breach insurance policy limits and the data breach attorney and forensics firm's name.
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12346
PUBLISHED: 2019-06-24
In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress, the SAML Login Endpoint is vulnerable to XSS via a specially crafted SAMLResponse XML post.
CVE-2014-9699
PUBLISHED: 2019-06-24
The MakerBot Replicator 5G printer runs an Apache HTTP Server with directory indexing enabled. Apache logs, system logs, design files (i.e., a history of print files), and more are exposed to unauthenticated attackers through this HTTP server.
CVE-2019-7231
PUBLISHED: 2019-06-24
The ABB IDAL FTP server is vulnerable to a buffer overflow when a long string is sent by an authenticated attacker. This overflow is handled, but terminates the process. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer, causing an exception that termi...
CVE-2017-17945
PUBLISHED: 2019-06-24
The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.
CVE-2019-10271
PUBLISHED: 2019-06-24
An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. ...