Either RSA is very thorough in being disingenuous, or it really has averted disaster.
When last year's breach hit, resulting in customers' SecurID data going missing, some gazed into the crystal ball and saw the dawning of a dark age for RSA. There was little doubt the embarrassment and subsequent cost of the compromise was going to hurt the company, at least in the short term.
The security division of EMC, which supplies authentication products to some of the world's biggest public and private organisations, did not just suffer financial wounds, but was also lambasted for not coming clean about the breach sooner. It also took some flak when it emerged how the attack took place. A seemingly simple spear phishing attack duped a low level employee into opening a file which exploited a vulnerability in Adobe Flash. It was fairly routine stuff as far as hacks go.
Yet at this year's RSA 2012 conference, the company has been in pugnacious mood, claiming the breach was all dealt with and the overall impact almost non-existent. Art Coviello and Co have come out fighting this week. At the minute, it looks like they're winning.
Emerging from the ashes
Data breaches have two particularly pejorative consequences: financial loss and reputational damage resulting in customer level depletion. RSA has suffered both, as anyone would expect, but on the face of it the impact has been minimal.
The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours.
Lesser companies have fallen as a result of hacks on their infrastructure. DigiNotar, the Dutch certificate authority, went bankrupt after it was hit by cyber criminals seeking to implement clever man in the middle attacks. Fortunately for RSA, it has the large pockets of EMC to support it. From that respect, it is no surprise RSA has suffered little.
Yet the company has shown resilience in recovering from the devastation of March 2011. It would be easy to just brand RSA's comeback as all talk, but the vendor has backed its claims with some impressive figures.
Let's start with reputation. Since the breach, just four customers have been lost. That's out of tens of thousands. From studies the company has done amongst clients, the firm's standing has recovered in their eyes too. From a vicious initial backlash from customers, RSA said it had managed to regain their trust.
"We do a lot of data gathering on customers, like customer satisfaction surveys, and we got crushed for the first two to three months," Thomas Heiser, president of RSA, told IT Pro.
"Go back to those same customers in November/December and they said you stood by us, you opened up communication, you remediated if we wanted to.' We turned lemon into lemonades."
Despite the criticism RSA faced for not being quicker to come clean about the breach, Heiser claimed as soon as the company knew customers would be affected, it moved to let them know.
"The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours," the company president said. "It was all hands on deck, it was just rapid."
Indeed, RSA had to work hard to ensure its reputation was not irrevocably tarnished. Following disclosure, RSA offered customers SecurID replacement tokens. Its sales team was plagued with calls from companies wanting to take advantage. "They were remediating customers up from 10 per cent of their time to 90 per cent of their time," Heiser added.
Financially, things are looking rosey too. Even though reports last year indicated the breach had cost the company $66 million, EMC's most recent results showed RSA grew its business 16 per cent in the last quarter. Then there was RSA chairman Art Coviello's telling comment at the start of this week's conference: "We are no longer dealing with the breach." That means no more payouts or costly remedial changes will be required.
It's CISO time
Customers will also want RSA to prove its infrastructure is safe and trustworthy. One of the biggest changes over the last year has been in employing a chief security officer. Some would say a little too late, but at least Eddie Schwartz, who was initially brought in during the NetWitness acquisition a month after the breach, stepped up to the CSO plate in June 2011.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
'You need your own bots' to wage war against rogue AI, warns Varonis VPNews Infosec pros are urged to get serious about data access control and automation to thwart AI breaches
-
CrowdStrike CEO: Embrace AI or be crushed by cyber crooksNews Exec urges infosec bods to adopt next-gen SIEM driven by AI – or risk being outpaced by criminals
-
Microsoft security boss warns AI insecurity 'unprecedented' as tech goes mainstreamNews RSA keynote paints a terrifying picture of billion-plus GenAI users facing innovative criminal tactics
-
APIcalypse Now: Akamai CSO warns of surging attacks and backdoored open source componentsNEWS Apps and APIs bear the brunt as threat actors pivot to living off the land
-
AI is changing the game when it comes to cyber securityNews With AI becoming more of an everyday reality, innovative strategies are needed to counter increasingly sophisticated threats
-
RSAC Chairman urges collaboration to ensure collective defense in securityNews Chairman emphasizes the critical need for cooperation among cyber security experts
-
IT Pro Live: The future of encryptionVideo AI and quantum ccomputing could be about to change the face of security forever
-
Mobile apps now most common method of fraudNews RSA Security report highlights the rise in burner devices and rogue apps
