RSA: Back from the breach?

Reporting from RSA 2012, Tom Brewster looks at how well EMC's security division has come back from the infamous 2011 attack.

Either RSA is very thorough in being disingenuous, or it really has averted disaster.

When last year's breach hit, resulting in customers' SecurID data going missing, some gazed into the crystal ball and saw the dawning of a dark age for RSA. There was little doubt the embarrassment and subsequent cost of the compromise was going to hurt the company, at least in the short term.

The security division of EMC, which supplies authentication products to some of the world's biggest public and private organisations, did not just suffer financial wounds, but was also lambasted for not coming clean about the breach sooner. It also took some flak when it emerged how the attack took place. A seemingly simple spear phishing attack duped a low level employee into opening a file which exploited a vulnerability in Adobe Flash. It was fairly routine stuff as far as hacks go.

Yet at this year's RSA 2012 conference, the company has been in pugnacious mood, claiming the breach was all dealt with and the overall impact almost non-existent. Art Coviello and Co have come out fighting this week. At the minute, it looks like they're winning.

Advertisement - Article continues below
Advertisement - Article continues below

Emerging from the ashes

Data breaches have two particularly pejorative consequences: financial loss and reputational damage resulting in customer level depletion. RSA has suffered both, as anyone would expect, but on the face of it the impact has been minimal.

The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours.

Lesser companies have fallen as a result of hacks on their infrastructure. DigiNotar, the Dutch certificate authority, went bankrupt after it was hit by cyber criminals seeking to implement clever man in the middle attacks. Fortunately for RSA, it has the large pockets of EMC to support it. From that respect, it is no surprise RSA has suffered little.

Yet the company has shown resilience in recovering from the devastation of March 2011. It would be easy to just brand RSA's comeback as all talk, but the vendor has backed its claims with some impressive figures.

Let's start with reputation. Since the breach, just four customers have been lost. That's out of tens of thousands. From studies the company has done amongst clients, the firm's standing has recovered in their eyes too. From a vicious initial backlash from customers, RSA said it had managed to regain their trust.

Advertisement - Article continues below

"We do a lot of data gathering on customers, like customer satisfaction surveys, and we got crushed for the first two to three months," Thomas Heiser, president of RSA, told IT Pro.

"Go back to those same customers in November/December and they said you stood by us, you opened up communication, you remediated if we wanted to.' We turned lemon into lemonades."

Despite the criticism RSA faced for not being quicker to come clean about the breach, Heiser claimed as soon as the company knew customers would be affected, it moved to let them know.

"The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours," the company president said. "It was all hands on deck, it was just rapid."

Advertisement - Article continues below

Indeed, RSA had to work hard to ensure its reputation was not irrevocably tarnished. Following disclosure, RSA offered customers SecurID replacement tokens. Its sales team was plagued with calls from companies wanting to take advantage. "They were remediating customers up from 10 per cent of their time to 90 per cent of their time," Heiser added.

Financially, things are looking rosey too. Even though reports last year indicated the breach had cost the company $66 million, EMC's most recent results showed RSA grew its business 16 per cent in the last quarter. Then there was RSA chairman Art Coviello's telling comment at the start of this week's conference: "We are no longer dealing with the breach." That means no more payouts or costly remedial changes will be required.

Advertisement - Article continues below

It's CISO time

Customers will also want RSA to prove its infrastructure is safe and trustworthy. One of the biggest changes over the last year has been in employing a chief security officer. Some would say a little too late, but at least Eddie Schwartz, who was initially brought in during the NetWitness acquisition a month after the breach, stepped up to the CSO plate in June 2011.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020