Too Much Prevention, Not Enough Cure

When it comes to security, IT leaders focus so much on preventive action that they don’t plan for contingent action. What would you do if you were hacked and confidential information was stolen? If you can’t confidently answer that right off the top of your head, you’re one breach away from looking for a new job.

Humans are bad at accurately assessing risk. The likelihood of getting hacked is next to zero unless you’re a big target or haven’t taken appropriate preventative security measures. But if you do get hacked, the consequences can be catastrophic. Yet IT focuses almost exclusively on prevention. Why? For starters, preventive action is easier. Setting up firewalls and security software and following well-documented security practices are all straightforward steps. Preventive actions are also highly visible. When you’re blocking and filtering things, people notice, and you can easily prove that you’re on the ball if anyone ever asks. Contingent action is also not nearly as glamorous. Blocking an attack against your network is much more exciting and rewarding than responding after the horse has left the barn.

Strangely, IT takes a completely different attitude toward backups. IT doesn’t put the bulk of its efforts into preventing data loss or corruption from ever occurring. Instead, it focuses on contingent actions — keeping backups and restoring from them when data loss does occur. The likelihood of data disappearing due to bit rot or user error is on par with being hacked. But, as many of us in IT are fond of saying, whether you lose data is not a question of “if,” but “when.” Yet IT doesn’t adopt the same attitude toward security. It’s not a question of “if” you’ll have a breach, but “when.”

It’s no fun planning for a scenario that begins with, “What do we do if all these security measures fail?” But failures happen. IT has to let go of the “no mistakes allowed” attitude. It’s better to make a mistake and deal with it properly than to try to be mistake-free and have no clue what to do when a mistake does occur (and it will). IT needs to take appropriate preventive security measures, but it needs to spend the bulk of its time on planning for contingent action.

Imagine for a moment that you are awakened at some unholy hour of the morning with the news that someone, somewhere is in your network, downloading confidential data. What do you do? Pull the plug? Then what? Without a contingency or crisis plan in place, you will have to figure it out as you go.

Formulate a contingency plan for each plausible scenario. When I say “plausible” I don’t mean “possible under extremely unlikely circumstances.” I’m talking about scenarios that actually might happen. For example:

  • A rogue employee makes off with confidential data

  • An attacker breaches your network and begins collecting data

  • Data is intermittently leaking out, but you don’t know how or when

A solid contingency plan has the following elements:

  1. Stopping – Cutting off access, at the source if necessary

  2. Freezing – Preserving the “scene of the crime” for forensic analysis

  3. Recovering – Revising your preventive action plan and getting back to normal

Notice I said nothing about “getting back” any data. That’s impossible. In contingent action, the best you can hope for is to limit the damage and prosecute the responsible party. There are no winners, and that’s why contingent action is rarely on IT’s radar.

What other areas of your life and organization have you failed to create contingency plans for? The axiom that it’s not a matter of “if” but “when” applies to more than just data loss.