Information-technology staffers at CareFirst Blue Cross and Blue Shield believed they had contained a data hack back in June, 2014. But on Wednesday, the not-for-profit insurer serving Maryland, Washington and northern Virginia, said the personal information of 1.1 million individuals was breached.
Experts say any delay in responding to a breach could magnify the compromised security and increase public relations damage.
Though the first signs of a potential data breach don't always call for a full-blown investigation, a fresh set of eyes can make a world of difference in limiting a cyber attack's damages.
“Doctors don't treat themselves if they have a serious condition. We should do the same with breaches,” said Mark Shelhart, senior manager for forensics and incident response at Sikich, a multidisciplinary professional-services firm.
But hackers are constantly probing network perimeters to gain access, so a company shouldn't call in the cavalry every time an alarm goes off, said Mac McMillan, co-founder and CEO of CynergisTek, a security consultancy.
“Unless you have real indicators that somebody has compromised your network or exploited one of your systems, you're not going to call a fire drill every time you detect something,” McMillan said. “If you did, you'd be constantly in fire drills.”
With limited information on what exactly CareFirst had “contained” in its initial response to the cyber attack, it's hard to judge whether the insurer's IT staff should have called in outside experts to make sure they had covered their bases.
Companies need to build up their internal security teams with strong talent so that they can prevent such attacks in the first place and comprehend the severity of an incident when something goes wrong, said Gavin Reid, VP of threat intelligence for IT security firm Lancope. For most companies, it is likely too expensive to constantly call in a cybersecurity firm like Mandiant, which contracted with CareFirst in the wake of the major cyber attacks against Premera Blue Cross and Anthem.
“Building out internal teams and building those teams with resources from the outside is an extremely important way that organizations bear down on attacks like this,” Reid said. “It's less about going and getting a contractor to do something, and more about building a team of people with knowledge about what's going on.”
Underwriters at cybersecurity insurer Beazley have found that cost and risk are minimized when a company responds earlier following an attack. The firm encourages its clients to notify its staff as soon as possible, said Katherine Keefe, head of Beazley's Breach Response Services.
The fact that CareFirst admitted they had some sort of situation to “contain” suggests the insurer probably should have contacted an external firm when it first discovered the attack, said Ken Dort, a cybersecurity expert and partner in Drinker Biddle & Reath's Intellectual Property Practice Group. CareFirst may have waited too long to bring in Mandiant.
“They reconsidered their original decision to not call somebody and they did,” Dort said.
It takes significant pushback for a CEO to cross his chief information officer and seek outside help, but sometimes it needs to be done, he said. If IT staffers have legitimate evidence that an incident was more than just a probe, they need to call someone.
“How can you believe the guy who was involved in the initial situation?” Dort said. “When I see those situations, I strongly urge that a third party be brought in to cover the waterfront.”