The “iPremier Case Study” elucidates how a new CEO tries to manage a denial of service (DOS) attack against an e-retailing business. The attack and its outcome provide an opportunity for discussing key business issues that are interwoven with issues of computer security.
Question 1
Typically, when dealing with a crisis, companies would follow emergency procedures to address the problem. However, this was not the case for iPremier; evidently, the company was unprepared in dealing with any form of cyberattack, as displayed by their subpar performance during the 75 minutes. The firm’s performance illustrated a lack of leadership, a lack of preparedness, and operational deficiencies. As a result, it completely disregarded any formal procedures leaving many of those involved, susceptible to common psychological traps.
Several key obstacles often hinder effective interventions during a crisis. These include 1) emotional responses such as panic, confusion, fear, and denial, 2) ducking responsibility, diving for cover, and political maneuvering, 3) groupthink and wishful thinking, and 4) leaping to conclusions and blindness to evidence that opposes existing beliefs. From the very start, every individual involved was confused and panicking. Nevertheless, everyone tried their best to prioritize the safety of customers’ information. The length it took to diagnose the problem and find solutions stemmed from the lack of a formal plan.
Question 2
Jack Samuelsson, iPremier’s CEO, had already informed Bob Turley regarding the firm’s policies that the operating procedures were not sufficiently up-to-date. Evidently, the deficiency in the operating procedures was as a result of inadequate attack response. The staff could neither locate the binder nor understand how to approach the attack. Thus, the company ought to have had a contingency plan on responding to issues like this. Generally, a good number of standard IT firms have incident response plans (IRPs). As Cichonski, Millar, Grance, and Scarfone (2012, p. 8) explains, an IRP includes elements such as mission, goals and strategies, senior vapproval, organizational approach to incidence response, communication procedures, measurement metrics for IR capability and effectiveness, and a roadmap for maturing the IR capability.
The company’s operating procedures were deficient in responding to the attack. As aforesaid, a considerable percentage of the resources were blocked. An extra procedure that the company ought to have executed in handling the attack was to distribute copies of the binder of procedures to every staff member in the IT department. Moreover, the firm ought to have had an automatic alert that would be sent to the Qdata to notify them about getting ready to meet with an iPremier representative and solve the issue. Furthermore, there should have been an extra disk space in the system to store detailed login information – and save credit card information – if the system had to be shut down.
Question 3
Following the outcome of the iPremier’s attack, the company needs to prepare in the event of a future attack. First, the company can acquire additional storage that it will use to store logging data used in reconstructing future attacks. The acquisition of additional storage is a preventive measure that hackers will not exploit weak spots in the company’s system. Also, this could help determine the attackers’ location; thus, proving a beneficial preventive strategy in averting future attacks against the firm. Moreover, the company ought to frequently analyze logging data as this could help in revealing information related to undetected yet unwarranted access.
Second, iPremier needs to revise and update its emergency procedures. During the attack, most employees did not know how to react; they all suggested different methods of responding to the attack. The company’s emergency procedures must detail specific responses to a particular attack as well as every employee’s responsibilities. Although the attack was short-lived, future attacks could be worse and lead to massive loss of valuable employee and customer data.
Lastly, as an alternative to revising emergency procedures, the company can implement a procedure that will escalate unsatisfactory service from Qdata to higher management levels. Also, the iPremier can switch to a data center with open communication lines that could allow the firm to manage easily – or altogether avert – future crisis.
Question 4
In the attack’s outcome, I would be worried about the loss of valuable client data and credit card information. A considerable percentage of the employees could not identify the root and long-standing impact of the attack. The hackers could have stolen important information leaving the company to face significant problems, with the result being the loss of customers if the hackers would have maliciously used the former’s information. Such attacks are dangerous to a company that handles sensitive customer information and damaging to its reputation.
Based on these considerations, I would recommend several actions. First, I would suggest that all employees be informed of the attack. Such a move is beneficial as it encourages them to report any malicious activities in the system that could potentially lead to future attacks. Maybe the attack originated from inside the company’s premises; thus, informing employees could also help prevent unfamiliar individuals from accessing the firm’s networking resources from inside the premises. Above all, communicating with employees could serve as a means of encouraging them to ensure company security and report any malicious attacks.