Increasingly, consultants and contractors are offering cyber incident response team (CIRT) functions on an as-needed basis. But should you trust your security to an outside source?

We asked Bill Spernow, a research director with Gartner. His credentials include heading Fidelity Investment’s cyber investigations division and serving as assistant director of computer crime at the National White Collar Crime Center. He also worked as a law enforcement officer in California.

Spernow explained the pros and cons of hiring an outside firm, including questions you should ask before you sign on a company and what you’ll need to do to expedite their work.

The options
Establishing a solid cyber incident response team means hiring approximately 18 employees and making an initial investment of almost $6 million, according to statistics from Gartner, an international IT research firm. For the small to midsize business, those are daunting figures.

Outside vendors can offer a good short-term solution, especially if you’ve already been hacked. They can identify the problem and fix it, then make recommendations for preventing future incidents, Spernow said.

But companies are popping up that do not have the expertise they need, according to Spernow. And some are relying on “reformed hackers.”

“The untrustworthiness of some of these individuals is a risk that a lot of organizations don’t understand that they’re incurring when they bring them in to consult,” he said. “I’ve yet to meet a reformed hacker.

“The analogy that we all use in law enforcement is that if you needed a baby-sitter, you obviously wouldn’t go to a child molester who has been caught just because of the fact that they’re very good with kids.”

A better solution, said Spernow, is to look for firms that have hired employees with top-secret clearance in the military, NASA, or other entities with major security concerns.

He also recommended that you investigate the company, even perform background checks on their employees.

You should also be sure to ask the company how quickly they can respond after a violation occurs.
Spernow is one of many security experts presenting at a June 5-7 Gartner conference on “Information Security in an E-Business World: Coping with the Threats.” Spernow will look at why CIRTs fail and what companies can do to create realistic response plans. Other topics include privacy, piracy, laws, and regulations related to e-business and information security by design. The conference is for business owners and technology executives.
What to expect
Spernow recommends that once you’ve found a solid company, you’ll want to establish a relationship before a security breech occurs. The vendor will need to become familiar with your company’s infrastructure and will most likely want dial-in access and root privileges. All of this is preparation work that will decrease the time it takes to locate and stop a security violation when it happens.

“It’s a lot of work up front and it can be expensive, but it’s insurance,” he said.

Security vendors charge an average of $300 an hour, which can add up to about $2,500 a day plus travel expenses. If you wait until an incident occurs, expect the firm to take at least three days to resolve it.

In return, you should be able to pass an off-time insurer’s underwriting test, which means that your business is insured in case it’s taken off line.

“If you can pass that, you’ve probably got a pretty secure environment,” Spernow said.

But don’t expect a money-back guarantee if a breech happens, and don’t expect immediate help if there’s a major, worldwide incident.

“If we had some major cyber terrorist attack that was able to exploit some unknown hole with any of the major operating systems, and we had systems going down by the hundreds as opposed to piecemeal every once in awhile, all these people would be taxed to provide solutions to their existing clients,” Spernow said.

Preparing your organization
CIRTs can raise difficult questions for organizations, so you may want to settle a few internal issues before bringing the consultant in. For instance, the consultant will need you to identify:

  • Who is responsible for each piece of hardware?
  • Who is responsible for each application?
  • Who can grant access rights to the applications?
  • Who is responsible for backing up either the applications or the computers/servers?
  • What are the corporate jewels?
  • What are the systems and processes that are not sensitive and can be ignored during a crisis?

You should also evaluate your Internet and e-mail usage policies by comparing them to publicly available sample policies. Spernow suggested Elron software’s policy as one of the best samples available.

You’ll also want to explain to management and staff that security is everyone’s concern because it impacts the bottom line, which ultimately affects paychecks and salaries.

You should also encourage employees to look at computer problems a little bit differently. Spernow recommended that you teach them to think like a criminal.

Your employees are your first line of defense. When a problem occurs, Spernow said, they need to go beyond the idea that the hardware or software isn’t working and examine the problem as if it could be a malicious event.

Spernow said that in every investigation he’s been involved with, the company has found an employee who witnessed or noticed something unusual but neglected to report it. He suggested that companies provide some way for employees to report unusual activities.
Do you think your employees would notice if a hacker tapped into your system? How do you ensure that your employees are security savvy? Share your secrets via e-mail or by posting below.