February 06, 2001, 3:29 PM — Most of the work that goes into managing a security breach should happen far in advance of when the breach actually occurs, says Bill Stanek, director of information systems at GeoTrust, a Portland, Ore.-based company that provides buyers and sellers with access to an e-commerce participant's trust profile.
"You can't always stop a security breach from happening," Stanek says. "What you can do, when you discover it, is you can react very well."
Putting together an emergency response plan that includes all operational procedures will definitely help companies handle a breach more successfully. Luckily for WesternUnion.com, although it did not have such an emergency response plan in place before it experienced its first security breach, the company did a good job of managing the situation after a breach occurred on a Friday morning in early September.
"We discovered that credit or debit card information of a number of consumers may have been copied by a third party," says Peter Ziverts, vice president of corporate communications at Englewood, Colo.-based WesternUnion.com. "At that point on Friday, we didn't know how many credit card numbers had been affected."
Rather than wait for that information, the company immediately took action, contacting consumers by either e-mail, phone, or mail to tell them their account information may have been compromised.
The company also shut down the Web site. It remained down for five days until additional security measures were in place.
By Sunday, WesternUnion.com's IT department determined the extent of the damage -- 15,700 cards had been copied. At that point, WesternUnion.com transmitted the information to credit card issuers to put them on alert to scrutinize increased transactions on those accounts.
Over the course of the crisis, a virtual war room emerged, according to Ziverts.
"There were conference calls throughout the weekend to decide on the next move," Ziverts said. "We were very prepared for Y2K, and clearly that preparation helped us here."
In addition, although the company did not have an emergency response plan, it did have a business continuity plan. "From that perspective, we were well prepared," Ziverts says. "And we are prepared to deal with this again in the future."
WesternUnion.com responded well to the attack, but they could have been better prepared. Detailed procedures outlining what should occur in the event of an attack already should have been in place.
How does a company create detailed response procedures, commonly referred to as an Incident Response Plan? Communication and education are key. Employees should know in advance what their roles and responsibilities are during an attack.