A Day in the Life in #BreachWorld

It’s chillingly common to wake up to news of another breach and the fallout thereof. Many of us have a designated spot for vendor notifications of discovered vulnerabilities and the mitigations we’ll need to schedule and perform – thank goodness we had plenty of idle time anyway! [sarcasm] While many people can just tut and shake their heads about these things, the people handling technology (and the security around it) have to take a hard look.

The people primarily concerned with the technical side have a set of questions to answer:

• Do we share the software or system with the exploited vulnerability that hit this company?
• If so, are we up to date on patches?
• Are we going to need an emergency window to get up to date?
• What is the effect of making room for that window in the critical business processes?
• What is the risk if we put it off?
• We bought that system a while ago; is the hardware too old to update to the latest? Did we decide not to renew support because we’re replacing it in a month, so we’re not eligible for updates?
• What’s the risk in rushing the replacement project? What’s the cost of renewing instead and then doing the updates?

If I try really, really hard, can I fit under my desk and hide out until it all goes away? I have water and a granola bar for sustenance….

Even if the answers to all of those (with the possible exception of the physics of desk refuge) are “no”, we’re still not out of the woods. The people concerned primarily with security posture have to run their own analysis:

• Does that affected company figure in to our supply chain somewhere?
• Am I going to have to review and revise our interactions with them to make sure this doesn’t trickle down to us?
• Are we going to have to update our answers on our pending security audit to reflect a supply chain breach?
• What’s our responsibility to notify our downstream supply chain?
• Can we get away with not mentioning it? What’s the risk either way?

Why did I have to get a glass desk that you can see through? This thing is useless for hiding.

At one layer abstracted from the technology side and primarily concerned about the business side, people have another set of questions to run through:

• Is that company in our industry or somehow like us?
• Is this breach going to erode customer confidence overall and lead to customer anxiety?
• What can we do to sooth that anxiety for our customers?
• Since the breach didn’t happen to us, should we be proactive or reactive?
• Is there an opportunity here to differentiate ourselves?
• If so, how do we take advantage of it?
• What’s the risk of staying quiet vs the reward for possibly capitalizing on this?
• Are we going to make ourselves targets talking about how we’re different?

Hmmm, maybe a thermos of coffee for under the desk?

So much of the world is interconnected these days, in ways both obvious and subtly complex. The number of companies not relying on commercial off the shelf hardware and software or open source technology in some direct way are statistically negligible. Even if they do exist, they interact with and rely on other companies who do. Given that intricate and delicate interdependence, it’s hard enough thinking up all the questions you should be asking – but now you have to answer those questions and come up with plans to suit the answers.

Mavenspire loves to come up with all the questions! We love to dig in to find the right answers for our clients and help them plan, both in preparation for what may come and in response to the (sometimes so not) delightful unexpected. We’d love to talk to you about it.

Also, we strongly suggest the inclusion of a candy bar or other self-contained comfort food for any under-desk excursions.

Subverting the famous meditation from John Donne: