I didn’t expect to be quite as entertained by this story as I was. I apologize for not knowing where I got linked to this, but CSOOnline has the first part of a two-part story on how a company that suffered a data breach did everything wrong. These are the sorts of stories that need to be told. Repeatedly. I don’t care if authors are anonymous and specific details scrubbing to protect the guilty and victimized. But this sort of stuff shares details, and that’s what we continue to need. We need it to learn from, and we need them to show others tangible illustrations of the risk.
…They lacked the equipment to detect a breach and, even if they did, lacked the human resources to monitor such equipment. He told us his staff consists of one full-time employee and one half-time assistant who is shared with the help desk… [ed.: a company of 10,000 users, 127 sites…]
“What logs? Remember that each business unit is different, but here at corporate we don’t have logs. In fact, logging was turned off by the help desk because they got tired of responding to false alarms. Help desk reports to the IT director, not to security.
Everything starts with a basic policy from senior management that says security is important. From there flows talented staff who aren’t going to just disable pesky alerts or be pulled in the IT operations/support direction 100% of the time. And so on…