Failure to Communicate Case Study Review

Failure to Communicate Case Study Review Samuel Warren IS472: IT Compliance Professor Steve O’Brien November 26, 2012 Failure to Communicate Case Study Review Executive Summary Almost every Information Security analyst is thought to be slightly paranoid in part due to their willingness to see potential problems everywhere. While not all of them are actually paranoid, there is a clear need to understand and train staff on potential threats when it comes to information. Flayton Electronics, a fictional mid-sized company with small web-presence discovered a major problem, wherein a large number of their customers had compromised payment accounts. There is no easy or fool-proof way to completely prevent data loss; however, communication and business continuity steps provide a way to keep any breach from getting too far out of hand. Introduction As long as data has existed, there has been communication, information transfer, and data fraud. How each is approached is vastly different, yet all share details requiring care and knowledge to navigate. Within the realm of data fraud, there are numerous required responses needing to be considered, not including the organizational response and reputation effects. The following review shall discuss the fictional company, “Flayton’s Electronics,” the major data loss they faced and their response to the situation. Problem Overview—Flayton’s Electronics Flayton’s CEO was informed of an alarming discovery by their principle banking institution. The bank reported a large number of Flayton’s customers had their cards compromised. Originally, they reported that 15% of a randomly sampled 10,000 accounts that were compromised had purchased at Flayton’s at one point or another. As they investigated further, they discovered there were two possible culprits and a disabled firewall. How the firewall stayed disabled was not a mystery; their Chief Information Officer (CIO) was constantly juggling new technology projects and seemed too busy with those to notice a downed firewall. That kind of innovation, while it yields results, also brings a level of risk of any oversight. Another major problem the Flayton team had was if and when to communicate the breach to their customers. At the time of discussion, they were unsure how the breach occurred, if it was a deliberate breach by former employees or a breach by hackers sitting in their car with a laptop near the headquarters. With such minimal information, there was a certain amount of time necessary, but instead of being proactive and researching the breach themselves, the Flayton team seemed to be avoiding the issue and trying to find a way out without having to communicate and deal directly with the affected customers. How to Handle the Situation Innovation is a great tool to have in any organization. However, innovation with improper execution does far more damage than not innovating at all. There is a level of research necessary prior to launching any technology project dealing with customer data, internal employee data, supply chain data, or any other confidential data. Conducting thorough investigations into all possible changes affecting the data, providing business continuity exercises, and keeping consistent communication between the CIO and different department heads will help to ensure this type of a problem is discovered and dealt with sooner rather than later. One common fallacy is that silver bullet technology can save the day. I've seen organizations spend hundreds of millions of dollars on security safeguards that were penetrated by a knowledgeable person with a handheld device. For example, Motorola proved to one of its customers, who had invested heavily in some of the best protection technology available, that we could access their core business systems using just a smartphone and the Internet. (McNulty, 2007) This fallacy was evident in the mind of the CEO and the CIO, as they believed being PCI compliant would protect and prevent problems from happening. However, being PCI compliant is just one first step in a number of proper security practices needing to happen within any organization. Another major point to consider that would help prevent this problem in the future is to have the Information Security team do regular security audits on the technology and the processes in the organization to determine if there are any potential threat vectors in the organization. While hacking by external attackers is still the number one threat, an article in CSO describes a close second to that is internal attackers. Keeping that in mind, there are many ways attackers could gain access to confidential information without actually being physically inside the internal network. Above all possible hardware and software solutions, the key to this, and other organization’s problems, is to hire, educate, and train staff to be knowledgeable of all the potential ways data can be acquired. Then, keeping staff and leadership validated by doing security and background checks can provide additional defense against disgruntled employees. Simple steps like changing passwords to the systems or removing access to separated employees can go a long way to ensure no separated employee can intrude and steal information. References Carr, K. (2003, August 3). Numbers: Internal Threats vs. External Threats. Retrieved November 27, 2012, from CSO Security and Risk website: http://www.csoonline.com/article/218405/numbers-internal-threats-vs.-external-threats McNulty, E., Lee, J. E., Boni, B., Coghlan, J., & Foley, J. (2007). Boss, I Think Someone Stole Our Customer Data Harvard Business Review, 85(9), 37-50.