Citing a growing threat to corporate security from a wide range of attackers, Ian Lim, director of enterprise security for New Century Mortgage, Irvine, California, spelled out the type and severity of these intrusions at a late-September conference in New York, sponsored by the American Conference Institute (ACI). The event, titled: "Preventing and Responding to Security Breaches," was attended by top-level information security professionals from major national corporations.
"Breaches may come from organized crime, terrorists, hackers and 'hacktivists,'" warned Lim, noting that the last group is comprised of "those out to prove a point and those who are anti-establishment. The main objective is publicity."
Lim, who chairs New Century's Information Security Steering Committee and authored a recently published book, Information Security Cost Management, said that "insider threats" are different today. "We're talking about your extended enterprise--your business partners, your contractors, all the offshore and outsource partners you have."
During the ACI meeting, speaker Stuart Levi, a partner at Skadden, Arps, Slate, Meagher & Flom LLP, New York, recommended that companies draw up--and more important, distribute and practice--an "incident response plan" to deal with security breaches. "This is critical because of the extensive information threat today and the speed with which that information gets around," advised Levi.
But writing a company incident response plan can be daunting, according to Lynn Goldstein, Chicago-based chief privacy officer with JP Morgan Chase & Co., New York. Speaking at the ACI event, Goldstein said, "After looking at what the general [federal] guidance is, it's not quite so easy to write one and put it into actual action."
Once written, though, she says it is imperative to "tell people what the purpose of the policy is." Post-incident activity "is probably one of the most important things you can do," says Goldstein. "Ask: 'What are the lessons learned? Is there any disciplinary action that should be taken?' Communicate your program; if nobody knows about it, it's not a good plan," she declared. And management support is critical," added Goldstein. "Without that, [the plan] is just a piece of paper."
Oliver Ireland, a partner at Morrison & Foerster LLP, Washington, D.C., and a presenter at the ACI conference, said, "People comply best with rules they understand--those that solve problems they are supposed to solve and contain actions they can [actually take]."
But it is insider hacking that can be most insidious, said New Century's Lim, who estimates it can emanate from "the 10 percent of those who can bypass 90 percent of a company's protection." Said Lim, "You can't secure everything, so focus on high-risk areas--identify, verify, analyze, prioritize and remediate." He added: "Conduct an annual risk assessment in the third quarter of the year. Prioritize risk with your executive management and build remediation plans into departmental budgets."
Lim offered several Web sites to help companies keep up with the "current threat landscape." These sites include Symantec Corporation (www.symantec.com/enterprise/threatreport/index.jsp), the Computer Crime Research Center (www.crimeresearch.org/latestnews), the Privacy Rights Clearinghouse (www.privacyrights.org/ar/chrondatabreaches.htm) and millersmiles.co.uk anti-phishing service (www.millersmiles.co.uk/archives/current).
Also at the ACI security conference, experts discussed what is at the heart of a proper reaction to security breaches--namely, sorting out what has happened and determining what must be done from a legal standpoint, as well as a "damage control" perspective. …