Yes, I will mention this post in tomorrow’s seminar on data breach! “Who’s Gonna Get It?”

This is one of my favorite and my most popular posts ever — and you better believe I will find a way to mention it to this group of CEOs to help them understand why it is important to take seriously the data security threat!

Data Breach – Who’s Gonna Get It? | business cyber risk | law blog.

 

“Defense wins championships” when preparing for the inevitable data breach

“The best strategy to manage the inevitable data breach of your enterprise is to be prepared.” -Adam Greenberg, SC Magazine

Exactly–you must prepare on 2 fronts: Defense & Response

In a recent article in SC Magazine, Adam Greenberg marches along faithfully with many of us in trying to get you, the business leader, to appreciate the severe risk that data breaches pose to your business. He starts by repeating the old data breach proverb, “It is not a matter of if, but when,” which readers of this site have heard many times before.

It is now a given that every enterprise either already has been, or will be, the victim of a data breach. It’s just life in the digital age, get used to it.

More importantly, prepare for it. A data breach can be either (1) a catastrophic event that threatens the very existence of your enterprise, or (2) just another adversity that your enterprise faces, manages, and learns from along its journey to success.

The choice is yours and is determined by whether you stick your head in the sand and ignore the risk or prepare for it. The first step you must take is to decide that you will not ignore this threat and that you will prepare for it. This is the most difficult step for many business leaders but, once we get past it, we start making progress.

Preparing for a data breach requires preparing a defensive strategy and a responsive strategy.

Preparing to Defend

-Defense Wins Championships-“Offense sells tickets; Defense wins championships” -Coach Paul “Bear” Bryant Jr.

When we talk about preparing for a data breach, some people jump the gun and start thinking about how they will respond. This loses sight of the primary objective–your duty–PROTECTING THE DATA which, necessarily, requires defending your system.

The top priority for your enterprise is to take steps to assess and strengthen its cyber security posture. Then, the deficiencies that are identified must be corrected (there are always deficiencies). And don’t forget to document the steps that are taken (here is why).

Preparing to Respond

After you have prepared your defensive strategy, the next step is to prepare for responding to the inevitable data breach. Every enterprise needs a data breach response strategy that is documented in a written breach response plan (here is why).

The breach response plan needs to be comprehensive, readily accessible in an emergency, and everyone needs to be trained on their roles in the plan. You can read more about breach response plans here.

Fortunately, this process is not as intimidating as it may sound. The most difficult part is that you must decide that you will make sure your enterprise is prepared for this risk. After you make that decision, a qualified adviser who has helped other enterprises prepare for these situations can guide you through the process.

Learn more about the author’s unique CyberGard–Cyber Risk Protection Program.

 

Source of original article: Plan ahead: Prepare for the inevitable data breach – SC Magazine.

 

Publix hasn’t had a data breach but is already seeking PR help in case it does — good or bad?

Chaos? Plan Ahead!This is interesting. Publix grocery store chain has made the news because of data breach — not because they have had a data breach (though they probably have and just don’t know it) — but because it has been learned that it is sending out proposals for PR help in the event it does have a data breach. The reaction to this is mixed. Some people think it is good but many are taking a cynical view of this move.

What do I think?

Well, thank you for asking!

I like it. First, one of the most important messages I try to preach these days is the need for companies to take the threat of data breach seriously, to prepare ahead of time, and have a plan in place so that all they have to do is execute that plan in the event a breach occurs. Look, I blogged about this just this past week and a whole bunch of times before.

Does the fact that the attention to Publix’s preparation is being focused on the fact that it is seeking PR help in any way diminish this?

That depends.

One of the key components to any breach response and breach response plan is to involve PR to help the company properly “message” their response to its customers to help minimize the overall disruption to the business. If the business crumbles, nothing else matters — the PR side is a key component to this is crucial.

So, if Publix is screening and assembling its PR team in an overall effort to prepare for a breach, that tells me that it is taking data breach seriously [give it a check] and that it is putting resources behind that concern [give it another check], and putting a plan in place to be prepared to respond to the inevitable data breach [give it another check]. This is good — this is what we are encouraging.

What this also tells me, and that I hope is the case, is that if Publix is devoting energy and resources to this kind of preparation, there is at least a decent chance that it is putting energy and resources into actually hardening its data security systems and improving its overall cyber security as a company. If this is true, then this is great — this is exactly what we are trying to encourage!

Now, if my assumptions are wrong and all that Publix cares about is the PR message and nothing else, well, then that is a much different story. If it is, then I really have to question the wisdom of its leadership because what this shows is that Publix is aware of the threat, recognizes the harm it can cause, is devoting energy and resources to it but in a self-centered and careless way, and is making a conscious decision to not correct it — and when that happens, if it has a breach, it just may be the one to get it!

Check out the article for yourself, here’s a brief quote:

Publix operates 1,082 locations in six states across the South and Southeast, and ranks as one of the 10 largest supermarkets by volume. The company’s request for proposals says it “would like to understand how a PR company could provide assistance preparing for, and during a data breach, e.g. advice and assistance with messages.”That could include a “proactive review” of Publix customer relations and “rapid response scheduling in the event of a confirmed breach. Publix prides ourselves in the relationships we build with our customers and associates and as such will require a company with outstanding communications skills and experience.”

via ‘Proactive’ Publix seeks PR help in event of data breach | TBO.com, The Tampa Tribune and The Tampa Times.

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Gov’t Contractors Must Notify of Data Breach Within 3 days

Is your company prepared to respond to aIf your business is a contractor for the federal government, you had better have your data breach response ducks in a row. The moment you detect a breach, the clock starts ticking and you have only 3 days to notify of the breach. Yes, I said 3 days!

You better already know who your legal counsel a/k/a “breach coach” will be.

You better already know who is on your company’s breach response team.

You better already know who your cyber security forensics and remediation firm will be.

You better already have your PR professional in place.

You better already have your notification vendor in place.

You better already know what information must be in your notifications, depending on the jurisdiction.

You better already know what information cannot be in your notifications, depending on the jurisdiction.

You better already have your cyber insurance in place.

In other words, you had better have your breach response plan in place and be ready to execute that plan within 3 days’ time.

Tick. Tock.

 If you are not prepared, now is time to get prepared. Take the first step by contacting Shawn Tuma and learning more about his unique CyberGard–Cyber Risk Protection Program.

 

Source: Feds to Toughen Up Data-Breach Reporting Rules | Corporate Counsel.

 

Hackers’ Cracked 10 Financial Firms in Major Assault – Russian Officials Involved?

There is nothing new about cyber attacks coming from Russia, however, to actually be able to tie them to Russian government officials — albeit loosely — would be another step. Is this a hunch or do they have something more?

Related: US Indicts Chinese Army Officers for Hacking US Companies

The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.

Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.

via Hackers’ Attack Cracked 10 Financial Firms in Major Assault – NYTimes.com.

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!