How Not to Respond to a Cyber Security Vulnerability

The worst way to find out about a cyber security problem is from somebody outside of your organization. We’re paraphrasing the words of Tom Clerici, Director of our Cyber Security Practice, who wrote something similar in a blog from early last year in which he stressed both the increasing inevitability of cyber attacks and the need for businesses to stay out in front of their attackers. Even though Yahoo was the breach du jour when that blog was posted, current events indicate many companies are still failing to properly gain, and act on, insights into what’s taking place on their networks and inside their data centers.

Case in point: Panera Bread. Panera is the latest company to have its name and logo splashed across headlines and cable news graphics for all the wrong reasons. Last year, a security researcher uncovered a major vulnerability with the company’s website – one that left an assortment of customer data – including names, saved addresses, and the last four digits of stored credit cards – plainly exposed. When confronted with evidence of the flaw, Panera did not exactly leap into action. After initially writing the researcher off as a scammer in disguise, the company eventually came around to the idea that something needed to be done. However, the vulnerability allegedly wasn’t corrected until, roughly eight months later, after the media got wind of the situation. Then, Panera pulled down its site, claimed the issue was fixed, realized it wasn’t and pulled it down again. The company’s site is back up, but discrepancies remain as to the scale of the initial issue. Panera claims only about 10,000 customer records were affected. The number being bandied about elsewhere is much higher: 37 million.

If there was a textbook example of how not to handle even a suspected cyber security problem, the Panera story may be it. The company had to rely on someone else to find the problem, it appeared slow to act, and there have been doubts about its ability to grasp the full scope of the situation. At least from the outside, Panera’s incident response plan seems to have left a lot to be desired. However, the company’s branding as something of a cyber security pariah may not be entirely justified. At least not when the overwhelming number of organizations who have found themselves in similar positions is taken into consideration.

Next Steps: Expect the best, be ready for the worst

Want to ensure your business is ready to swiftly and soundly respond to whatever cyber criminals have to offer? Join us at Davio’s Northern Italian Steakhouse in King of Prussia, PA on April 24 for Bourbon & Duct Tape: How NOT to Handle Security Incident Response. This multi-session event will provide executive-level, field-tested strategies on how to prepare for incidents and how to respond when one occurs. Leading the conversation will be two people with plenty of real world insight into what works and what doesn’t in cyber security: Sean Mason, Director of Cisco’s Incident Response Team and Tom Clerici, Arraya’s Cyber Security Practice Director.

Register for Bourbon & Duct Tape: How NOT to Handle Security Incident Response now by visiting: arraya.rocks/events. If you’d like to get a dialogue started with Arraya sooner, we can always be reached at: https://www.arrayasolutions.com//contact-us/. And, as always, feel free to leave us a comment on this or any of our blogs using social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us so you can stay updated on all of our latest industry insights, unique educational opportunities, and more.