CISO Oh No!

Your web site is reportedly dropping malware on your site visitors; what is your first question?

For most seasoned professionals, the very first question is, “Are you sure?”

After all, if the diagnosis is wrong, the response is certainly very different.

For the moment, let’s assume the answer is “yes” and your website is actively dropping malware. The second question most often includes some form of: “For how long?”, “What is it doing?”, “How did this happen?”, “Can we (did we) contain it?”, “How many users are (will be) impacted?”…and of course the classic denial question, “Are you REALLY sure?”

If you’ve never been directly involved in this situation, it can appear a little comical from the outside. Everything that was important…even critical…just five minutes ago is now on the back burner.

Making matters worse is the fact that your site was probably just fine yesterday, the day before, last week, etc. But realize that EVERY major breach was “just fine” right up until they were not just fine.

And now, every department that has something to do with the web site is on high adrenaline as the situation unwinds.

Step one is always to define the incident.

In this case, determine what is happening and stop it as quickly as possible to limit the damage. With modern web sites, both pinpointing and then stopping an active incident aren’t easy as much of the code that executes on the site visitor comes from myriad third-parties.

With luck, maybe it’s simply an isolated landing page from an old marketing campaign and it doesn’t affect ALL site visitors.

But if the incident is the result of a compromised third-party emanating from your most heavily trafficked pages, then for every 1M monthly visitors you are currently infecting 23 more people every minute.

The good news is, you don’t need to concern yourself with the math…your legal team is already on this part.

Once the incident is isolated, the process often branches. One side is focused on stopping the issue while the other side is calculating the damages. Even if you are able to identify a compromised third-party, finding the correct contact person there can be frustrating and time-consuming if you haven’t prepared.

Every minute increases pressure and frays nerves as others want answers to prepare accurate damage estimates. If the damages are estimated as very high, the response actions must change.

In extreme cases, shutting down the entire site may be warranted. Is that the right call in this instance? Well, like most questions involving security and business risk, the correct answer is very often “it depends.”

To arrive at a more actionable answer, it’s critical to think about security breaches and the resulting business impact in three dimensions. The obvious first two dimensions include the magnitude of the issue and the number of people impacted.

But the critical “third dimension” is based on the impacted users themselves. For example, maybe the user just bought their PC and doesn’t have any valuable data on it…or simply isn’t the kind of person to make a fuss.

That’s great news for you.

But if the exact same incident happens and the user is, let’s say, a class-action attorney. Well, he has a new project for the weekend and you have an entirely different problem on your hands. While this third dimension is entirely out of your control, it highlights the importance of preventing all that you can in the first place.

During all of the above, the CEO and the Corporate Communications team are busy formulating the official company response. The company response to an incident is critical to the overall outcome for the business.

Respond too quickly and the response may be wrong…making the overall problem worse. Respond too slowly and additional liability may be incurred as a result.

It is business-critical to make sure you have the best information in the most timely manner.

Yet another interesting question that gets asked along the way is, “how did we find out we were compromised?” In so many cases it is often a site visitor that experienced something wrong AND recognized it as such AND had the wherewithal to actually call and tell someone at your company.

By the way, it’s never the first person that runs into something that calls and reports it. So by the time you hear about it, the problem is already impacting hundreds to thousands of your valuable site visitors.

But it doesn’t have to play out this way.

It starts with proactively monitoring your website and all the third-parties that run code to create your site experience.

This is not just a good idea. It needs to be an essential element in your broader security and vendor management plan.

Treat your digital third-party vendors to the same scrutiny as physical vendors. After all, they can (and do) get breached.

And to your site visitors, it all looks like YOU are compromised. Your own code could be just fine, but if a third-party applet is allowing malicious traffic, guess who will be held accountable?

Find out how many third-parties are involved in your site…it may surprise you.

But better to be surprised BEFORE something happens so you can plan accordingly when something eventually goes sideways.

Beyond simply knowing your digital third-parties, consider formal agreements that spell out how much of the risk THEY assume if their code is breached and your site visitors are impacted as a result.

Right now the risk-share is probably about 100% YOU and 0% THEM.

Making matters worse, simply not knowing who your vendors are could be construed as negligent and that is a word you must work very hard to keep out of the conversation. Consider it a “compound word”. Not in the grammatical sense, but in the business sense. Negligence (if proven) seeks to compound the resulting damages. Even when not proven, the mere mention of the word “negligence” amplifies damages to brand reputation.

Most times, when the dust settles, these types of incidents come full circle with a post-mortem discussion of how to prevent them from recurring in the future.

It starts with monitoring and experiencing your website exactly as your site visitors do…from different combinations of devices, operating systems, geographies, and user-behaviors, to detect an incident BEFORE it becomes overt.

In the past, this was not just difficult, it was cost-prohibitive to all but the largest companies.

Within today’s vast digital eco-systems, vulnerabilities are a fact of life. And while many security analysts subscribe to the notion that if you haven’t been breached it is because you haven’t been targeted, this isn’t completely true.

The multitude of digital third-parties that operate with impunity on your website adds an even darker reality. When one of these vendors is attacked, you can sustain serious collateral damage without ever being targeted directly.

Actively and continuously monitoring your web site is one of the easiest, most impactful steps you can take to improve your security posture today.

Privacy101 can help you get a handle on YOUR website vulnerabilities related to third-party code executions. Contact us today for a free risk analysis.