The OPM breach is still in the news with updates on the number of individuals affected (which have grown enormously following the second OPM breach), the potential dangers of the hack, and the consequences within the organization (like the resignation of the director and CIO). The information still circulating about the incident helps CEOs to understand the bigger issues with a breach if the right risk management measures aren’t in place.
Breach repercussions do not stop at the bad press that continues months after the incident, nor does it stop at the loss of customers or the danger that ensues from breach such as identity theft and fraud. Organizations will have to inform all affected individuals of the breach and this won’t be a simple task. Especially, since hackers can use the sensitive data they took to reach out to the breach victims and take even more data. This means CEOs and executive teams need to notify breach victims, but also figure out ways to get that information to those individuals without aiding hackers in their malicious intents.
The extent of the individuals whose data was taken plays a big role on how long the notification process will take. OPM, for example, is still updating affected individuals and it has been about 40 days after the breach. The longer it takes to identify and manage the breach, the bigger the list of breach victims becomes. This is why an organization’s incident response plan is so important. The sooner CEOs can have a security team on the scene to trace the breach and stop additional intrusions, the better.
In addition to spending time and resources on notifications, CEOs may be faced with having to dismiss their security executive and other department directors. Because these individuals were tasked with ensuring the security of the organization’s network and overall enterprise, the tendency is that they are the first to go following a breach incident. OPM is not the only entity where we’ve seen this happen; Target is another perfect example. Changing your executive team at a time where you need their leadership skills and expertise the most, sets even more challenges for your organization to fully remediate your network’s vulnerabilities in the least amount of time possible. This is where CEOs can see the benefit of having an external security partner that they trust readily available to step in and help.
Replacing your CIO requires your organization to have someone to turn to if you’re going to limit the damages of breach. The OPM breach is still not solved, but their CIO has already resigned, which means they’ve turned to someone else to resolve the security issues they’re dealing with. Having a risk management collaborator beforehand will prevent the need to find one while your network is open and vulnerable to intrusion. Studies have shown that having such a partnership can better prepare organizations to handle a breach (especially, since external security consultants won’t be biased when performing a review of an organization’s network and systems).
Finally, as pointed out by numerous security experts, it’s not about avoiding breach, but being proactive and prepared before intrusion takes place. The only way this type of information security is possible is with a holistic risk management posture. When you take all the measures available to you to ensure your organization has top security experts ready to make continuous monitoring a priority and tell you what’s wrong with your organization’s security posture (not ones that tell you what you want to hear), then you will be prepared to reduce breach damages and costs.
When you care about your organization, stories such as OPM are probably not a wakeup call for you because you are well aware of the risks and are taking the necessary measures to protect your data. If this is not the case, you have something to think about, and actions to take if you’re going to avoid OPM’s fate.
What risk management steps are you implementing to secure your business and data assets?
Photo courtesy of alexskopje