We’ve all heard the old saying “Failure to plan is a plan for failure”. When I look back at 2014, there are two events that stand out to me as examples of this truism: the Heartbleed vulnerability and the Sony compromise. Very few people could have predicted a vulnerability the size of Heartbleed would happen, however just about anyone in security could have predicted that someone would be impacted by an attack of this scale in 2014. In fact, we’ve been predicting that a major compromise of one of the mega-corporations would happen for over a decade, so it shouldn’t be considered a surprise at all. Which brings me back to the point: we need to plan for these types of events or we’re going to fail.

The honest truth about Heartbleed is that more of us probably should have seen it coming. If not in the form of an OpenSSL vulnerability, at least the fact that something of this scope and impact. The Internet is an organic construct built of billions of lines of interacting code and we’re at a point in time that more people are looking at the old code, so it’s inevitable that something had to give. But we’d had events of similar scale over the years, like Code Red and Nimda, so it would stand to reason that most companies would have an incident response plan in place on how to deal with it. Except that many companies didn’t and almost no one had a plan in place that was well thought out enough or flexible enough to deal with Heartbleed and its consequences.

Some businesses have learned from Heartbleed and the other major vulnerabilities this year and taken the opportunity to modify their processes and procedures in order to deal with events of this magnitude. But I’m willing to bet those businesses are in the minority; most have probably discounted the impact of the events and continued as if nothing has changed. Response plans haven’t been updated, communication methods have been modified to reflect who really gets things done, management still doesn’t understand the scope and depth of an emergency incident and the customers are still left wondering if their service providers are protecting them from an incident that could have severe consequences. Basically, failure to learn from these incidents means the same mistakes will be made again and the stress on systems and people who are often already running on an fine edge will continue and grow worse. Proper planning can help alleviate these issues.

Then there’s the Sony compromise. This is a nightmare scenario for every business, the worst possible case that could possibly happen. The entire network is compromised, all intellectual property is potentially stolen and email is out there in the public eye. Who could have foreseen it? Actually, anyone could have, and should have planned accordingly. No one knows if it’s going to be Sony or IBM or Akamai or their own organization, but we all have to realize this is going to happen and have the plans in place to deal with it. We’ve been saying for years in security that it’s not a matter of if your’re going to be compromised but when and how long it takes you to notice.

We almost always sound like alarmists in security, but if you’re not using Sony’s pain as an example to show your CEO why you should have a contingency plan for when this happens to you, you’re missing out on an opportunity. More, your’re doing your own business a disservice in preparing them for the worst case scenario. You’ve probably designed your data centers with the worst case scenarios of fire, flood and earthquake, even if all of those are rare or unheard of events where it’s located, so it should make sense to have arrangements of the same scope for when disaster strikes your information and your infrastructure.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…