Into the breach for Nasdaq…

Organisations must be ready for a possible security breach, as Tom Brewster discovers

Every organisation should expect to be breached. Cyber criminals don’t care about the size of the target, only whether it is vulnerable and sitting on some kind of tradable data. Yet each incident response strategy will differ.

Take NASDAQ, which was hit by a security breach in autumn 2010, when hackers planted malware on a company server.

Kostas Georgakopoulos, now a regional head of security at financial services firm UBS, had only been chief information security officer at the stock exchange for a matter of weeks when the attack hit. As with any breach, Mr Georgakopoulos and his team had to determine whether it was severe enough to call in law enforcement. It was. Then it was time to bring in the lawyers.

“You really need to have external counsel engaged and there are very good firms who can give you very solid advice,” he says.

They helped to determine how to disclose the issue to regulators and the wider public. Revealing the breach to the press took until February 2011, but it was just a matter of hours before the decision was made to inform the US Securities and Exchange Commission.

For those of us who have actually lived through an incident, it becomes very apparent very quickly just how far security readiness appears to be from the reality

One of the biggest surprises for Mr Georgakopoulos was the level of government involvement, including assistance from the National Security Agency, which helped NASDAQ determine its way forward. He says: “They are very professional in what they do – very thorough.”

A technical response was also needed and this was something Mr Georgakopoulos initiated immediately he learnt of the compromise. If there’s one thing security chiefs come to realise during an incident response, it’s that their existing defences are vulnerable. “Companies may believe they have adequate security controls in place,” he says. “For those of us who have actually lived through an incident, it becomes very apparent very quickly just how far that readiness appears to be from the reality.”

NASDAQ already had an incident response plan in place, which was one of the key reasons it came away relatively unscathed. Surprises were inevitable, but it could fall back on pre-ordained procedures when its time came. “It’s not really an information security programme that needs to be prepared, the business needs to be prepared,” Mr Georgakopoulos adds. “The business stakeholders must be vested in the success of that programme.”

The final piece of the puzzle in a typical incident response programme, if there is one, is the communications response. The PR push following a breach is key to ensuring long-term trust in the organisation. NASDAQ was fortunate it only had to notify a small subset of customers using a single product, making the outreach programme that much simpler.

“We didn’t have to notify 100 million users. We acted very quickly internally and externally to mitigate the risk and the threat,” says Mr Georgakopoulos.

Not all organisations are so lucky. Target, a US retailer robbed of 40 million credit card details in the lead up to Christmas, saw sales decline 5.3 per cent year-on-year thanks to the breach. Its chief information officer resigned soon after.

At least the company has survived to tell the tale. That hasn’t been the case for MtGox, an exchange for the virtual currency Bitcoin. Soon after hackers made off with £300-million-worth of coins, it announced bankruptcy. Sometimes there is no way back from the breach.