Although this is a fictional television series, this scene got me thinking about my clients.  I can not think of any client large or small that is prepared for or has a single staff member onsite that could authorize a system wide shutdown quickly.  As an example, let’s take a large financial institution.  One of the technical staff is doing some routine system checks and discovers that every time a customer logs into their bank accounts, the customers login and password information along with other helpful data such as birth date and postal code is transmitted externally to a range of servers.  Being a large financial institution there is presently a new customer login average of one per second.  What should she do?  Should she shutdown all customer access immediately?  Should she investigate?  If she investigates, how long should she investigate for?  Can she get hold of someone who can authorize the shutdown?  What if that person is unavailable?  Can she make the call to shutdown services then?  It is obviously critical.  Should she keep trying others?  If so for how long?  If from discovery through investigation to authorization it takes 10 minutes, that is 600 client compromises in this scenario.

What is important is that the staff clearly understand what they can and can not do in any situation.  They need to feel comfortable they have done the right thing and will not be punished for doing what they ‘perceive’ as the right thing.  In the scenario above, if you asked your employees what they would do in this scenario, do you know what they would answer?  Would they be comfortable answering the questions above and more importantly would the business be comfortable with the answers and the risks associated with those responses?

I know many business people that would indicate this is fictional or ‘far fetched’.  While I would have agreed to some degree a few years ago, I wouldn’t today.  What I would suggest is that they go to a recent technical (not business) security conference or ask your technical team or consultants about latest research into threats and vulnerabilities and their availability.  Don’t ask the vendors (or at least be careful), they are trying to sell you results and are never as advanced as the bad guys.  Also keep in mind that even research is behind.  There are many malicious pieces of software that are ‘underground’, but you don’t need to look there.  Just look at some of the available off the shelf tools available for purchase.

Is your business realistically aware of the current threats to its data?  Are the risk assessments accurate?  Do you have the appropriately qualified staff and procedures in place to deal with current threats and do they have the appropriate authorization to make the necessary calls in the event of an emergency or unexpected event?  Is the business comfortable and accepting of the risk exposure associated with these decisions?