Considering the kind of business ipremier is in and the volume of transactions occurring, neither the company did well in preparing for such an attack nor in swiftly communicating and addressing the security loophole. If you see this from responsiveness perspective a better action plan could have been implemented even though they didn’t have an updated emergency plan handy. Among the main reasons that contributed in making the attack worse are; high turnover rate of management, the management of IT infrastructure is done by third party, Qdata -which is not competent enough with all the changing technology, this leads to client not understanding of the overall IT architecture and resources not available from vendor side.
Also, not having a clear communication guideline in case of such attack and even when contacting higher executive, the team didn’t have the proper understanding of what had happened and knowing that they have outdated manual and not acting on it was a major drawback in handling of the situation.
Companies should restructure their system to address vulnerabilities by considering the fact that it’s a matter of when not if, an attack would happen. If iPremier were prepared for such scenarios, they would have addressed the situation in more procedural and technical manner, unfortunately that was not the case for them. The only option they had at the time was to react to the situation based on what they know; using their technical expertise and common sense.
I would not say everything they did was wrong, for example with all the constraint they were able to communicate and finally do what can be done at that time. But also they could have done a better coordination by having a conference call to tackle situations in wholistic way and bring everyone on same page— which will avoid duplicate effort, and the flow of information didn’t follow the order and everyone taking their hands off the responsibility. The emergency plan being outdated and not tested thoroughly was a hurdle and knowing Qdata infrastructure was outdated and keeping it as the service provider is also a flaw that’s made the attack worse.
Major things I would have done differently are: first and foremost, I would get on call all the parties including personnel from Qdata, and iPremier folks and legal team to update the status quo, and plan for minimal viable action plan to remedy the incident. That way I would at least make sure that everyone is on the same page in tackling the attack. Consequently, I would identify guys to address each situation, for example, access was denied entering the facility of Qdata, this could have been easily avoided if this coordination was done firsthand.
After the attack has stopped, I would also opt for shutting down the servers because of the very reason of protecting customers and not compromising their data. Additionally, the CIO should have done beforehand a better job in addressing the concern of CEO which was the need to run things professionally and updating/enhancing the procedure manual. From the beginning iPremier had a plan to have a facility of its own but didn’t take action for different reasons, like cost of having new facility, only focusing on business process, being afraid of service interruptions and affiliation with Qdata. These all are not adequate reasons for not being secure, for that matter any reason is not enough.
iPremier seems lost in the way of only taking care of customers worrying less about security, upgrading their system and incident response plan. Because of poor preparation iPremier could only react; iPremier operating procedures were deficient in many fronts. First, it’s outdated and should have been maintained and updated regularly. Secondly, people are not trained on it and the emergency procedure plan was not tested recently. Lastly, didn’t have procedures for troubleshooting /remediation.
After the attack the scope and motive of the attackers should be traced and identified. A thorough investigation of whether customer data was compromised or not should be among the first actions; this would include making sure that there is no malware in the infrastructure and noting down the details information and loopholes in the system. Other actions will be contacting law enforcement officials and addressing the press about the situation.
For future, deciding which approach to take on whether outsourcing or having inhouse datacenter is paramount. Major actions could be taken in order to prepare for such attacks in future among them are; having and maintaining a business continuity /incident Business response plan and fully test it before deployment, have a standard procedure that details of reporting lines, major infrastructure architecture and IT governance deployed, training of the employees with these processes and all these should lead to restoration of business processes
