Breached security vendors' response should focus on customers

Security vendors need to develop a response strategy that balances being truthful with customers and maintaining discretion to allow investigations to take place should these companies be victims of security breaches, industry observers stated.

Rob McMillan, research director of security, risk and privacy at Gartner, noted that these companies face a difficult balancing act should they get hacked. This is because they not only need to be perceived as open and honest with customers and provide timely, pragmatic advice, but yet keep certain information confidential so as not to compromise investigations, he explained.

In such scenarios, the analyst advised vendors to focus on keeping customers' IT systems safe above all other considerations and obligations.

Aliza Shima Mohammad Kasim, industry analyst of ICT practice at Frost & Sullivan, added that the security vendor should always apologize to its customers and keep them well-informed of the situation.

As for regaining customers' trust, she acknowledged that it would be difficult for vendors to do so but it is possible with a good strategy that helps build trust between both parties.

One example would be for companies to constantly renew their security offerings to let customers know these are not the compromised versions, and assure people that such incidents would never happen again, the analyst highlighted.

The affected company's marketing team should also devise a strategy that constantly reminds customers of the vendor's reputation and the "greatness" of its product lines, stated Kasim.

H.D. Moore, chief architect at Metasploit, a penetration testing software developer, added that no company is immune from attacks but a properly handled incident can improve the company's reputation.

He cited the recent breach of U.S. online retailer Zappos.com as an example, saying that while many customers did not like how the attack was handled initially, most of them were "delighted" with the notification and customer service process introduced as a result of the incident.

Give timely updates, advice
Companies that ZDNet Asia spoke to also noted that timely disclosure is paramount after security vendors suffer data breaches.

Kara Manon, marketing manager at Data Cave, a U.S.-based data center operator, said in such situations, she would need to know specific information on how the breach occurred to better understand if it was a fatal flaw in the system and should the company migrate to another vendor.

"Breaches happen but if the vendor is specific to the information security industry, I would be extremely worried," she added.

How companies deal with the breach is another important consideration, noted Kevin Creechan, an Internet technology developer at Canada-based digital marketing agency Aholattafun.

"Judging a security vendor is all about its response to an event and how well it can mitigate further impact on its clients by empowering them with enough information to proceed with business safely and securely," he said.

Asked to comment on Symantec's response following the theft of its Norton security source code last month, Moore said software vendors hardly ever turn off their products entirely. This, he said, indicated a lack of confidence in how the application had been designed and how the security compromise was not something that could easily be fixed.

The Metasploit executive had earlier told Reuters that Symantec was "crazy" to tell its customers to stop using its pcAnywhere software after hackers had stolen parts of the antivirus code.

McMillan disagreed, saying it is quite likely the advice by Symantec was not issued lightly. He said the vendor was in the best position to determine if the advice is prudent, and it was ultimately up to customers to act on the advice dependent on the resources available to them.

Kasim also defended the company's decision, saying that while it was "not the best move" by any huge corporation to ask customers to stop using its product, the steps taken were beneficial to the wider public.

This can be seen by the fact that there has been no major security breaches reported since the source code was stolen, she explained. "The move to ask customers to stop using its product can be considered a smart move from Symantec's end, because it forewarned customers and put their best interests first," the Frost & Sullivan analyst said.