We have been hacked !

Not too long ago I had this interesting encounter with a CIO in a highly agitated state talking to someone on the phone while pacing the corridor of a hotel. He looked up to acknowledge my presence and continued the tirade, his face changing shades of red I never thought possible. I waited for him to complete his conversation (more of a monologue) and then asked him the reason for his state of mind. He stated that the information security of his company had been compromised and he was still discovering the extent of damage.

Information security has always been one of those investments that are like an insurance policy every organization takes to protect them. The number of threats has been going up since the internet became intertwined into the enterprise fabric; with the complexity increasing and external attacks rising in sophistication, solutions have evolved attempting to stay abreast of the game. Security budgets have been rising steadily and so have been instances of successful breaches to companies big and small.

In the older days of IT deployments, basic anti-virus was deemed adequate; today they encompass almost every device and mode of communication used by enterprises, partners, vendors, and the corporate road warrior. Even manufacturing process controls and industrial equipment were targets of some attacks which left many companies and governments struggling. Every day we hear of new data compromises, phone taps, social media sharing agreements leaving individuals and their shares exposed to the world.

Using surveys and incidents everyone talks about a majority of the threats being internal attributable to recalcitrant employees or contractors; many have also been victims of social engineering that coerced sensitive information from gullible staff. Thus building moats around the castle largely served as preventive measures for the external snooper. Despite this the industry feasting on the FUD (Fear, Uncertainty, Doubt) factor, has continued to corner the hapless CISO and CIO to make significant investments though not without reason as highlighted by many attacks and data leaks.

Based on identified security measures and advice from vendors and partners and in conjunction with his business leaders, my CIO friend had put in all the available technology at his disposal; audits and other exercises had declared his enterprise to be secure. He had also followed all the good practices and undertaken the path towards popular security certification. Despite all this his fortress had been breached and he was now at the receiving end to justify why all the heavy artillery could not secure the company.

The extent of damage was not too high with a few noncritical servers being breached, but they raised an alarm internally. The CIO in damage control mode had to address the issues it raised. A systemic exercise and root cause investigation revealed that these servers were adequately protected with all the controls that the security team had put in place. The breach was discovered to a compromised password which had been gained using social means. The hapless user who knew no different had shared his credentials.

All the policies, processes and technology were no match for the human frailness which exposed the company. My friend controlled the damage as much as he could and was wondering how to prevent recurrence of such an attack in the future. His training courses and promotional material to all the employees talked about refraining from such behavior; the hackers obviously wielded higher convincing powers. As frustration poured out on sympathetic shoulders, I could only offer him words.

When information security gets compromised, what should companies do ? Whether it happens due to ignorance inside or brute force from the outside, any breach can impact company credibility, image, and customers. The resultant impact is dependent on the industry, size and position in the market. I believe that CIOs and CISOs should build in steps on internal and external communication which should be executed without fail. Damage control is as important as the technology solution; after all, the weakest link in the chain is human.