According to this story, malware, employee misconduct, phishing scams or whatever has recently affected either customers or third party participants in the business activities of JP Morgan Chase, Dairy Queen, Touchstone Medical Imaging and AT&T (in addition to Target and Home Depot a month or two back). What if you were in charge of Information Security at those joints? What would your day have been like this week?
Maybe it would have been crisis mode - or perhaps just another day at the office. If I were one of those people and were reasonably decent at my job, I think I'd be memo-ing quite a bit. My main memo this week would have had an email subject line with a nice version of "I TOLD YOU SO". I'd first list the things that I'd been recommending to management that our people do for best practices, with emphasis on what measures had been overruled, when, why, by whom and hopefully with meeting minutes from the discussion in which I was shot down due to impracticality. Then I'd list or link the emails that had been sent out detailing voluntary or mandatory practices that people were actually supposed to be following and to which management had actually given lip service.
So, contingencies list: call up money for the security consultant outfit to do damage control, get the important password change procedure, pull tested backups from secure or offsite location, reload sensitive systems... and regularly tell certain people "I Told You So". This last only works if one DID tell them.
