Information security is often an after thought at best for many small to midsize businesses. DigiNotar, a Dutch certificate authority, is a great case study on what can go wrong when adequate information security controls are not put in place. DigiNotar was severely compromised leading to the undermining of the very core that their business was built on, trust and authority. The end result was an information security related bankruptcy that was preventable. What went wrong at DigiNotar and what can you learn from their experience?
Lessons learned from DigiNotar information security incident
The more your business relies on trust the greater your information security risk and the more controls you need
Trust is based on your reputation and when you are in a business requiring a high degree of trust it can be game over when a big incident occurs that hits to the core of your model. There is a direct relationship to how much your business relies on trust and how much information security you need. The final straw was when the Dutch government lost confidence after inadequate disclosure and revoked their trusted status.
Full prompt disclosure is the best way to recover your reputation
DigiNotar detected a problem with their certificate authority infrastructure nearly a month before the incident blew their business out of the water. They failed to make adequate disclosure causing their customer to question the trust they had placed in DigiNotar. What if DigiNotar came clean in the beginning? Perhaps they would have been able to salvage the company.
Full security audit needs to be conducted after their is reasonable cause to believe a serious security event has occured
The primary goal should be to determine the method of attack and seek to eliminate sources of vulnerability and to clean affected systems. The security review should be conducted by professionals and it could get quite expensive but it is necessary to prevent worse events such as total implosion of the business. If a full audit and full disclosure occurred the company would be likely still exist.
Are you auditing and controlling the right high risk business activities?
DigiNotar’s compromise led to the creation of 531 unauthorized certificates. If this control was reviewed closer and followed up on with quick terminations and the actions described above the company would still be in business.
Effective information security controls can make the difference between prosperity and bankruptcy. The choice is yours. To help make sure your business is taking information security seriously be sure to review our information security essentials for small and mid size businesses