No doubt you have heard that 160M credit cards numbers were illegally siphoned through an SQLinjection hack over a number of years from some large, well-known companies. According to http://www.nbcnews.com/technology/160-million-credit-cards-later-cutting-edge-hacking-ring-cracked-8C10751970 the losses amount to $300M attributable to just 4 companies. More than 4 companies were impacted and the loss number is sure to climb.

This scenario was very close to a tabletop wargame exercise in which I participated while I was an executive at a large telecom company. We developed a scenario and for two hours simulated a week worth’s of incidents and actions to counter. Every five minutes, new information was provided to the wargame (E.g., A notification of a hacker event; 5 min later, Visa calls the CFO; 5 min later, the hackers send us a ransom demand… etc.)

So, here are a few quick thoughts about the incident.

• Executives have a tendency to isolate concerns and responsibility to only what happens within our direct line of control. This is an unrealistic mindset in the era where companies have many  suppliers who process critical business transactions and customer private information. In the current era of high investment in cloud and BI / Customer Analytics platforms that are beyond our walls, how and who in your organization vets the operational and security readiness of your suppliers? Who is accountable?
• Have a look at my Landmine Blog #1: Do no Harm to the Brand (oops!).
• At the companies impacted, newly formed cross functional teams of Marketing, Legal, Finance, IT, Corporate Communications, Customer Care, Risk Management, Chief Security Office are collaborating on what to do, what to say, to whom, when… Wouldn’t it be better to figure out who is runs these meeting before an incident hits? Do they have an established Crisis Management Team and process?
• These incidents often use well-known exploits and techniques. Do you have a program to educate your coders on how to avoid common security mistakes?
• What will be the permanent brand and customer loyalty impact to these companies? Time will tell.
• How was the data extracted without tripping DLP (data loss protection) flags? How did the data leave the network? Is the complexity so bad that we have we given up understanding who is connecting to our servers?
• Is anyone preparing 3 envelopes?

Mike Ross <TechOpsExec@gmail.com>.

#techopsexec