RSA: Back from the breach?


Either RSA is very thorough in being disingenuous, or it really has averted disaster.

When last year's breach hit, resulting in customers' SecurID data going missing, some gazed into the crystal ball and saw the dawning of a dark age for RSA. There was little doubt the embarrassment and subsequent cost of the compromise was going to hurt the company, at least in the short term.

The security division of EMC, which supplies authentication products to some of the world's biggest public and private organisations, did not just suffer financial wounds, but was also lambasted for not coming clean about the breach sooner. It also took some flak when it emerged how the attack took place. A seemingly simple spear phishing attack duped a low level employee into opening a file which exploited a vulnerability in Adobe Flash. It was fairly routine stuff as far as hacks go.

Yet at this year's RSA 2012 conference, the company has been in pugnacious mood, claiming the breach was all dealt with and the overall impact almost non-existent. Art Coviello and Co have come out fighting this week. At the minute, it looks like they're winning.

Emerging from the ashes

Data breaches have two particularly pejorative consequences: financial loss and reputational damage resulting in customer level depletion. RSA has suffered both, as anyone would expect, but on the face of it the impact has been minimal.

The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours.

Lesser companies have fallen as a result of hacks on their infrastructure. DigiNotar, the Dutch certificate authority, went bankrupt after it was hit by cyber criminals seeking to implement clever man in the middle attacks. Fortunately for RSA, it has the large pockets of EMC to support it. From that respect, it is no surprise RSA has suffered little.

Yet the company has shown resilience in recovering from the devastation of March 2011. It would be easy to just brand RSA's comeback as all talk, but the vendor has backed its claims with some impressive figures.

Let's start with reputation. Since the breach, just four customers have been lost. That's out of tens of thousands. From studies the company has done amongst clients, the firm's standing has recovered in their eyes too. From a vicious initial backlash from customers, RSA said it had managed to regain their trust.

"We do a lot of data gathering on customers, like customer satisfaction surveys, and we got crushed for the first two to three months," Thomas Heiser, president of RSA, told IT Pro.

"Go back to those same customers in November/December and they said you stood by us, you opened up communication, you remediated if we wanted to.' We turned lemon into lemonades."

Despite the criticism RSA faced for not being quicker to come clean about the breach, Heiser claimed as soon as the company knew customers would be affected, it moved to let them know.

"The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours," the company president said. "It was all hands on deck, it was just rapid."

Indeed, RSA had to work hard to ensure its reputation was not irrevocably tarnished. Following disclosure, RSA offered customers SecurID replacement tokens. Its sales team was plagued with calls from companies wanting to take advantage. "They were remediating customers up from 10 per cent of their time to 90 per cent of their time," Heiser added.

Financially, things are looking rosey too. Even though reports last year indicated the breach had cost the company $66 million, EMC's most recent results showed RSA grew its business 16 per cent in the last quarter. Then there was RSA chairman Art Coviello's telling comment at the start of this week's conference: "We are no longer dealing with the breach." That means no more payouts or costly remedial changes will be required.

It's CISO time

Customers will also want RSA to prove its infrastructure is safe and trustworthy. One of the biggest changes over the last year has been in employing a chief security officer. Some would say a little too late, but at least Eddie Schwartz, who was initially brought in during the NetWitness acquisition a month after the breach, stepped up to the CSO plate in June 2011.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.