The following text is
copyright 2011 by Network World, permission is hearby given for reproduction,
as long as attribution is given and this notice is included.
RSA: maximizing customer harm
By Scott Bradner
news of the major breach at RSA broke about two months ago.
)At the time I complained that the company was not being all that up front in
telling its customers what the breach might mean to them. (see Ensuring
mistrust http://www.networkworld.com/columnists/2011/032811bradner.html) Now we hear that the break in at the
giant defense contractor Lockheed Martin may be an example of the fallout of
the RSA breach. (see RSA tokens
may be behind major network security problems at Lockheed Martin -
) But, you would still be hard pressed to find any useful information on the
RSA website (http://www.rsa.com).
The only thing on the front page that seems to be related is a "new
security brief" on " Mobilizing Intelligent Security Operations for
Advanced Persistent Threats"
which seems to be a bit of a 'try to make money from what we did wrong'
real did happen at RSA, judging from the report in the Wall Street Journal that
RSA is providing tens of thousands of free replacement SecureID tokens to Lockheed.
you look hard enough on the RSA website you can find the April Fools Day blog
posting on the attack
of an Attack http://blogs.rsa.com/rivner/anatomy-of-an-attack/). But RSA does not make it easy to find
any anything relevant. This is
hardly the way that I would want a major security vendor to act. As I write this, the Bloomburg cable TV
channel is speculating on the likelihood that the Lockheed breach was, indeed,
a result of the RSA breach.
Not good press for RSA, made far worse, in my opinion, by RSA's refusal to come
press reports, RSA seems to be justifying their refusal to provide key
information - like what was actually stolen - on the assumption that it would
make things worse for their customers.
That seems like a totally bogus rationale - hey RSA, it looks like the
bad guys that took the info know what they got - the main people in the dark
are the people that spent the big bucks on your products, you are not telling
them how deep the do-do is. You
are also not saying that you will change the design of your products to make
this type of breach unimportant in the future.
What should you do if your company gets hacked in a way that
will impact your customers? A lot
of companies just want the problem to go away and do not want to shine any
light on the situation because it could show that the company does not know
what it is doing in the area of security.
The 'nothing to see here, move along' approach is harder now that most states
require customer notification in the case of breaches that involve specific
types of information, but some companies still try to follow that path.
A far better path to ensure long-term customer trust is to
provide all the information that will not actually harm the customers as you
can. Put a obvious link on
your home page that customers can use to find out your side of the story and
leave the link there until the threat is gone - i.e., do not follow RSA's lead.
disclaimer: Harvard is more of a leader than a follower but
has not expressed any opinion on the RSA path so the above advice is my own.