Slashdot Asks: Does Your Company Have A Breach Response Team?

This week HelpNetSecurity reported on a study that found that "the average data breach cost has grown to $4 million, representing a 29 percent increase since 2013.. 'The amount of time, effort and costs that companies face in the wake of a data breach can be devastating, and unfortunately most companies still don't have a plan in place to deal with this process efficiently," said Caleb Barlow, Vice President, of IBM Security."

But the most stunning part of the study was that each compromised record costs a company $158 (on average), and up to $355 per record in more highly-regulated industries like healthcare, according to the study -- $100 more than in 2013. And yet it also found that having an "incident response team" greatly reduces the cost of a data breach. So I'd be curious how many Slashdot readers work for a company that actually has a team in place to handle data breaches. Leave your answers in the comments. Does your company have an incident response team ?

Naw

My company has a breach denial team.

Re:Naw

My company IS a breach denial team.

Re:Naw

And a team to explain to the accountants why it is important?

A breach management plan is more important than a team. If your denial team are doing their job, your breach management team should be pretty idle so best deployed elsewhere but with a decent enough plan to bring them together should the denial team screw up.

Fortune 500

[tero]

In words of Alex Stamos (Facebook CISO, back then Yahoo CISO): Fortune 500 consists of "SECURE 100" and "TOASTED 400".

I'd say it's about right.

Source:
http://image.slidesharecdn.com...

By the way, I highly recommend that talk:
https://www.youtube.com/watch?...

Re:Fortune 500

[fraxinus-tree]

SECURE 5 and TOASTED 495 is much, much better approximation

Behold the buzzwords of clickbait

Can we get some editors with more than "interweb savvy soccer mom" technical acumen?

Re:Behold the buzzwords of clickbait

[dougTheRug]

This one is just fine, but the crypto-currency article is really really bad. I don't understand it. BTW I couldn't find a single buzzword in this summary. What did you think was a buzzword?

Two questions in return

[angel'o'sphere]

a) due to the lack of a base ball bat, do "Bokken" (jap. wooden swords) count? I have plenty of them :D
b) does a single man count? Or do I need to be a dwarf for that?

Oh? You ment a completely different kind of breech? I just pull the DSL connector from the wall!

No, we have breach prevention

[fustakrakich]

We turn our computers off at night...

Not Needed

Trump advised my company to build a wall, and we did. There's no need for a response team when all possible breaches are already prevented.

Surround yourselves with the best people and the best ideas, and you can achieve such greatness, too! Just ask my African American over there.

Trump 2016!

Re:Not Needed

[l0n3s0m3phr34k]

Did you follow through, and make the "hackers" pay for the wall?

Nah

[Greyfox]

They've come up with a much better solution. Their security is just so bad that they never notice that they've been hacked. They seem to think that if they're completely inept, the hackers will feel bad for them and fix some things before they log out.

Re:Nah

They've come up with a much better solution. Their security is just so bad that they never notice that they've been hacked. They seem to think that if they're completely inept, the hackers will feel bad for them and fix some things before they log out.

Sounds like my employer. The only project progress is made by hackers breaking in...

Re:Nah

I worked at a place that got hacked, and the only reason anyone noticed is because of the work the hacker did to close the door behind them. A year after they patched the system, there was work on a project and it was returning an error because they were checking for the particular database for both the server type and version. Only after more investigation did someone realize the server was updated and even more that the update was done by none of the IT staff. I don't believe that they ever figured out everything because after the investigation started, they started deleting logs and whatnot. The sad part is, is if they just checked the server type and not the versions, it may not have been noticed at all.

Re:Nah

[i.r.id10t]

Indeed. The college I work for just a few weeks got around to trying to hire a CISO

Re:Nah

[turbidostato]

"They've come up with a much better solution. Their security is just so bad that they never notice that they've been hacked"

And the company is still in business? Then they most probably just followed the strategy that brought them the best bang for the buck. Why they should do anything different? Heck, why anybody should expect anything different?

For the most part all this security this, security that is just money thrown to theater for no benefit and a lot of money wasted in the way, both for the security-whatever itself, and the inefficiencies and costs of opportunity involved.

No. I don't

I have policies and competent people who prevent that shit.

Get my sensitive customer data from hacking via the web? Good luck with that asshole.

Get via sneaking something internally? Good luck with that too asshole.

Here's Bruno and Sven to explain it to you.

Yes.

Here they are hard at work.

Re:Yes.

[Bozzio]

Lemon. Party of 3.

Major retailer

Yes. I worked for a major retailer who was burned badly in the recent past. They've spent an astronomical amount of money creating a breach-response monitoring center and other safeguards to prevent such a thing from happening again.

Re:Major retailer

[Sax+Russell+5449D29A]

It's too bad this usually happens only after there's been a breach. If security is done well from day 1, there are usually no significant breaches. The downside of "costly" information security is that if it works well, it seems useless to the execs. Seen too many times how they gradually cut the budget to oblivion because they don't get nice little reports detailing how many attacks were blocked and what would've been the associated costs. There's really no solid way of proving the need for strong security measures except trusting the word of people who know what they're doing in that particular area.

Re:Major retailer

[turbidostato]

"I worked for a major retailer who was burned badly in the recent past"

Like... 4$ million? If it is less, that's not even average, according to the (hard to believe) article's summary.

"They've spent an astronomical amount of money creating a breach-response monitoring center and other safeguards to prevent such a thing from happening again."

Given that there will be big recurring costs coming along, there's any relationship between the damage from the event and the cost of the response? Or is it that a high executive ego's got too hurt and, well, since it's only corporate money, better big than nothing -and it probably will increase his bonus, on top of that!

Re:Major retailer

"I worked for a major retailer who was burned badly in the recent past"

Like... 4$ million? If it is less, that's not even average, according to the (hard to believe) article's summary.

"They've spent an astronomical amount of money creating a breach-response monitoring center and other safeguards to prevent such a thing from happening again."

Given that there will be big recurring costs coming along, there's any relationship between the damage from the event and the cost of the response? Or is it that a high executive ego's got too hurt and, well, since it's only corporate money, better big than nothing -and it probably will increase his bonus, on top of that!

I made this original post and no... my group alone (one of many in the corp involved in security) has a $5 mil yearly budget for roughly 20 people. I can't speak to the the executives' egos, but the damage to the company was extremely significant in terms of lawsuits and in terms of reputation. (Ask Brian Krebs about it ;) )
Sorry if you find it hard to believe, but it's fact. I'm posting as A/C, so there's no sort of "street cred" from making up stories...?

Re:Major retailer

[turbidostato]

"I made this original post and no... my group alone (one of many in the corp involved in security) has a $5 mil yearly budget for roughly 20 people"

So just your team (one in many, as you say) could be "exchanged" by an "average security incident" yearly and your company still would be a 20% ahead. Hard to believe the way your company is targeting "security" is an effective one.

Re: Major retailer

Think maybe he's talking about Target? /sigh

A what?

Ha, ha, ha!

No.

Does Dice have a breach response sponsor?

This feels like a really poorly veiled slashvertisement

depends on IT criticality

[omgwtfroflbbqwasd]

Of the firms I've worked for, only the large ones (>$20B/yr) that depend heavily on IT had a dedicated in-house incident response team. Smaller shops ($5-20B) or those that rely less on IT would outsource it. Small enterprises with a 1-5 man security team probably have just a written plan that's never tested. Anything under $1B/yr in revenue probably doesn't have a security team at all unless they are an Internet-based company.

No, BUT

we have a beach and breasts response team, ready to go on a moment's notice.

Oh yes, definitely

Some huge fat guy with a World of Warcraft T-Shirt who always wears sunglases, and some small skinny guy with who puts a fresh copy of Windows on the machine after he has found a mouse that works.

Re:Oh yes, definitely

lok'tar ogar!

Yes...

Management... "Deny everything and admit nothing"

Yes, we do

I work for a US DOE National Lab. We have a CSIRT.

They are prepared all right

If anything like that happens, blame is instantly assigned to a sacrificial goat, the goat's name is passed on to HR, and a cardboard box is deployed.
Nothing else is changed.

Corporate breach response team

[xeno]

There's a small software company in Redmond that has a long standing well funded breach response team. It's called Marketing.

(This is only kinda a joke. The SSIRP process was largely developed, funded, and driven by Marketing, with follow-on engineering and remediation by security teams.)

not exactly a *company*, per se...

A breach response team, you say?

Yes. Oh yes.

Health care... nope

[spywhere]

I work for a major assisted living provider.
Not only do we not have a plan, we don't have a clue. Our Windows machines are still running an old version of Java, and everyone is local Administrator. There is no official policy against downloading or installing stuff, so the place is a Festival of Malware. We have three people on the Security team for 60,000+ computers.

ha

he who complains is at fault

millions of customer records
billions in transactions

sink the person who points out faults that can be used to attack the system

working in large organisations can be very depressing

HAHAHAHHAHA! Nope.

[epseps]

I have never experienced such an increase in intrusion threats that have coincided with denial that there is any problem at all.

Its so bad, I am starting to become one of those tin-foil hat IT guys who is starting to believe that management has been blackmailed by the "hackers" (not yet but that is the road I am on). I also, more seriously, believe that the increase in "Cybersecurity" firms and "Ethical Hackers" correlates to the increase in incidents. The old "Gotta hire a criminal to prevent a crime" is really turning out to be a bad idea.

The key to security is competent system administrators, but all the older ones are getting canned in favor of younger DevOps who went to "code camp" one summer and used AWS to host an app no one bought.

Yes, we do

[Opportunist]

And I'm part of that team. We have plans and processes for pretty much anything that can happen, down to pre-written statements for the PR goons so they have something to feed to the press while we're finding out what went wrong and detailed instructions for everyone what to do, who to talk with and more importantly, who not to.

That breach a few months ago, where a company lost multiple million bucks, sure was a wake-up call. Right now, everything that deals with (serious amounts of) money has to go through a very rigid process, whether you're some clerk or the CEO himself. Let's see how long it lasts before our bigwigs get inconvenienced by it enough to return to hand waving, but right now at least we have processes in place that put the process manager in me in my happy place.

PLEASE SAVE US SPIES

How about your company has insiders spilling information? The FBI does.

We are the Breach Response Team

Thats what some of the work that the company I work for does.

We have a team.

Five lawyers, two accountants, a concierge, and a PHB to supervise them.

Breach Plans

If your company does not have a plan, Contact Hoplite Industries Inc, They can help you out.
Garrett Talbot
Employee - Hoplite Industries Inc.
  www.hoplite.io

A quote from ...

[Fnord666]

"the average data breach cost has grown to $4 million, representing a 29 percent increase since 2013.. 'The amount of time, effort and costs that companies face in the wake of a data breach can be devastating, and unfortunately most companies still don't have a plan in place to deal with this process efficiently,"

said the guy who wants to sell you a service.