You've just been hacked. Now what? Here's how to avoid resorting to panic mode. At 12:12am on May 1, 2001, in the wake of the tense standoff over the downed US spy plane on China's Hainan Island, Tradebonds.com's intranet underwent a drastic redesign. A black backdrop replaced the usually staid blue log-in page, and across the page a stripper danced to music, gyrating her way in (and out) of a purple bikini. Vivid red text adorning the top of the page conveyed an almost cartoon-like threat: "We'll get back at you America!"
Upon discovering the site's saucy new mascot the next morning, nobody knew quite what to make of it. "I thought this was some sort of joke," recalls Ed Prado, president and CEO of the California-based company. "Internally, there was absolute disbelief over what had happened."
The first reaction to a security breach is almost always denial. This must be a network glitch or a stupid joke. Once the severity of the situation sinks in, however, a variety of emotions ensue - anger at the perpetrator, betrayal by the security vendors that didn't prevent it from happening and finally, sheer panic. "Anarchy looks organised compared to [the first 24 hours after an attack]," says Mark Rasch, former head of the computer crime unit at the US Department of Justice and now vice president for cyberlaw at New York City-based Predictive Systems, a security consultancy. By the time companies have worked through these emotions and started addressing the problem, they've wasted precious time - and the situation has likely worsened.
The reason for all the panic is that many companies don't have a well-defined incident response plan to guide them when a virus or a hacker fells their systems. They don't know who to call for help, when and how to communicate the problem to their employees, customers and the media, or how best to get back online.
But companies can no longer afford to make these decisions on the fly because the cost of security breaches is increasing exponentially. The 2001 annual computer crime survey conducted by the Computer Security Institute (CSI) and the FBI reveals a disturbing upward trend in the cost of breaches, and it suggests that a company's chances of facing a security threat are quite high. Of 538 US corporations, government organisations and universities that responded to the 2001 survey, 85 per cent admitted that their security had been breached in the last 12 months. Of those, 35 per cent were willing and able to quantify their losses. Those 186 organisations reported a whopping combined total of $US378 million in financial losses. In contrast, losses from 249 respondents in 2000 totalled a distinctly smaller $US266 million.
By those standards, Tradebonds.com was relatively lucky. No customers viewed the dancing stripper, and the damage was limited to a few hours of lost productivity as employees processed customer orders manually while the site was down for repairs. But you can't depend on luck. To minimise the damage of security incidents, your company should make some basic choices about how you will approach potential security situations, codify those choices in a detailed, written incident plan that can serve as a blueprint in the event of a crisis, and decide ahead of time who will be in charge of implementing that plan (see "Have a Plan,"). As you develop your incident response plan, you need to think through the following critical issues. By preparing ahead for a possible breach, you can avoid resorting to panic mode and make the recovery process faster and smoother.