The Imperva Breach is a Sobering Reminder That Anyone Can Be Compromised
In late August, Imperva, a popular vendor of data and application security software, notified customers that it had suffered a data breach. This is a company that has built its entire business model on protecting its clientele from breaches, leaks, and intrusions. According to the company blog, the exposure most directly impacted its Cloud Web Application Firewall product, originally known as Incapsula.
To say that this might damage Imperva’s reputation would be putting it lightly.
Still, the firm did a lot of things right. For one, the breach itself, which was brought to the firm’s attention by a third party, appears to have happened fairly recently. It took the organization only a week to investigate and release a statement on the leak after learning of it.
Imperva has also implemented forced password resets and a password expiration policy. Although it has not yet disclosed how the breach occurred, the firm has further promised to keep its clientele in the loop. In short, it’s being open, communicative, and accountable.
That’s all anyone can ask, really.
The troubling thing about this breach is the fact that it happened in the first place. Presumably, Imperva has excellent security hygiene. It is, after all, a company whose reputation depends on it. Yet in spite of this, the leak still occurred and data was still compromised.
It’s a sobering reminder of an unpleasant truth about the modern threat landscape. To be blunt, no one is immune to a data breach. There is no such thing as an impenetrable system.
No matter how well you train your staff, no matter what security processes and solutions you implement, there’s always a chance that something will go wrong.
Maybe someone opens an email they shouldn’t have. Maybe a disgruntled employee intentionally leaks data. Maybe it’s a problem with a third-party vendor or business partner. Maybe there’s a bug in your network that escaped everyone’s notice.
The possibilities are endless. That’s why cybersecurity is about more than training and technology. It’s also about having the right processes in place for the unthinkable.
Expecting - and preparing for - the worst. That’s precisely what Imperva did. Although the firm will doubtless suffer some reputational damage, it did everything right in terms of how a company should manage and mitigate a cyber-incident.
Learn from their example. Implement a crisis response and disaster recovery process that will allow you to quickly and flexibly notify your clientele of a breach. And never make the mistake of thinking your system is impenetrable.
Remember: they thought the Titanic was unsinkable.