The result of the recent Referendum for European Union membership (or Brexit) has many parallels with the periods prior to, during, and after an infoSec incident.
The lies told by both sides before the event were both destructive and divisive. Neither side believed what they said and could not necessarily deliver on the promises made. We saw this on the infamous bus messages stating the NHS would be the beneficiary of £350m a week that was no longer going to Brussels. The Remain campaign were not much better and it is probably one of the worst periods of embarrassing politics this country has ever seen.
So how is this like an infoSec incident? Firstly, if you take the hackers, the hacked and the companies who seek to manage and control; the devastation after an attack is generally not in line with the hype. For example:
- The salesman who promised 100% coverage of any little immigrants getting onto your network through your borders was wrong.
- The compliance reporting officer who told management the staff were 100% prepared because all compliance training stats were green was wrong (Typically even when tests are announced, 10% of staff in highly regulated industries still click on phishing test links.)
Furthermore, the consequences of an event do not become evident immediately after the event. In terms of Brexit, Mark Carney was there the next day propping up the obvious fall in the economy and collapse of share prices that was to follow. But the day two and day three impacts were far from clear. The impact of Brexit on funding for European science projects is already seeing the UK scientists being excluded from research grants as the future of Europe-wide shared science is unclear.
For the InfoSec crowd, just what will your breach expose? Your MD will probably like to keep the whole attack hushed up and hope that nobody finds out about it, but the regulator demands you let them know. Once the regulator knows, you might as well post a message in The Times and Twitter simultaneously. Now, apart from a few shaken heads in various dealing rooms across London, a breach into an investment bank’s trading system or customer relationship management database will probably not cause more than a ripple in the big picture. It is almost expected, as banks are such obvious targets. However, if you are the exec of a mobile phone company who loses hundreds of thousands of customer records, you had better make sure your LinkedIn profile is up to date and the ink on your new CV is dry.
Finally, what is needed is clear leadership before, during and most importantly after a crisis. Let’s face it, on the early morning of June 24th, there was a collective sick feeling in the pit of the stomach for more than 48% of the population. Tactical voters, protest voters and stupid voters joined the ranks of people who made the impossible seemingly inevitable. As in all good crises (please see previous comment on LinkedIn), the person who made the fateful decision – be it to call a referendum for party political reasons or in InfoSec terms – decided to skimp on the security architecture budget, is soon replaced. This is either through falling on a sword, or being pushed onto it like most senior executives. (I honestly wonder how many letters of resignation are penned by the leaver.)
So, the scapegoat / fall guy / guilty party has gone, what now? Well, now we have to act in order to calm the situation and return to business as usual. This is, in theory, what should happen, but in practice is not always the case.
“InfoSec incident means InfoSec incident”
Rather like “Brexit Means Brexit,” what does this actually mean. Unless after such a dramatic turn of events someone actually steps up and gives direction, the danger is that further impacts will occur in the decision vacuum. This is where we find ourselves now in the UK and often in the cold light of day after an incident. As the poor little techies wander off home having done a straight 48/72/96 hours’ shift, it is time to make sure the ship is steadied and everyone pulls in the same direction on the oars. Communication is paramount and a key part of InfoSec planning is to have templates and distribution lists in place to keep all parties informed. Communications are in the end your faithful friend, but if you don’t control them, they will turn on you and go from puppy to Cerberus in the blink of a Twitter feed.
I know we cannot as yet tell all of the damage done, but the outcome of the Referendum caused a huge split in the UK to be reinforced and allowed manipulative and interested parties to chock their bandwagons and start using them as a stage from which to speak (excuse me mixing metaphors). The same thing can happen within organisations after such as event. At the very time unity is needed, some idiot will always see the opportunity for personal gain. Watch out, we know that show boaters in the campaign all got what they deserved in the following night of the long knives.