I’d like to believe that all readers will use this post to prepare for a ‘what if’ scenario but the sad truth is that some of you are reacting to a data breach and lack an incident response plan.
My condolences, as a rough patch is coming for your business. All you have to look forward to is reputational damage (with a corresponding reduction in sales or subscription levels), a drop in staff morale, regulatory fines, penalties and other costs such as those involved in breach investigation, security enhancement and of course damage control via PR, marketing and senior executives. A pretty bleak picture.
We’re all aware that there is no such thing as 100% secure, as a concentrated attack will eventually yield results for determined hackers. Company size is also irrelevant. Whatever the cause of the breach (phishing, ransomware, unpatched software or other vulnerabilities), it has occurred, despite any security measures in place.
What next? How can you minimize the impact on future business operations?
1. Don’t Hide A Data Breach
Apart from cursing your luck and attempting to blame IT, the company’s first responsibility is to break the news, even before the exact nature of the breach is determined. You don’t want an employee or diligent investigative reporter announcing the breach before you do, as it raises unwelcome trust issues.
Under the EU’s GDPR, you’ll have three days after the breach is discovered but requirements will vary by jurisdiction and by industry (HIPAA for healthcare and PCI-DSS for those that process credit cards). DO NOT imitate Uber, who hid their breach for more than a year and even paid off hackers to delete affected data and keep silent. They were fined in the U.S. ($148 million) and in Europe ($1.2 million).
2. Don’t Commit To Anything Before Facts Are Known
It’s best to announce the breach and state that an investigation is underway, with updates to follow. Then it is vital to retain a forensic investigation team (if resources and forensic tools are unavailable inhouse) to track down the cause of the breach and the nature of any compromised data.
To ensure the investigation is successful, operations must cease, to ensure crucial forensic data is not overwritten. Even data still in RAM buffers could provide info on the breach method. Once the cause has been identified, you can then update the public and those affected by the breach. Verify all statements with legal, IT and PR beforehand, to make sure that all information is accurate. Yahoo failed in this regard, continually inflating the number users impacted by several breaches, with initial estimates of 500 million rising to its entire user base of more than three billion.
Plugging identified security holes and preventing additional loss of data is a given. This task must be performed before breach details are released.
3. Share Breach Specifics With Others
A willingness to share breach information with organizations that alert security pros on evolving threats is a must. Many cybersecurity software vendors are involved in threat sharing and there are several regional and industry-specific option. Search for ‘threat intelligence’ or ‘SIEM’ to find relevant platforms for your organization. By openly sharing breach specifics, your organization gains trust and this is a positive in terms of public perception. You are proactively doing something tangible to demonstrate security is on your radar.
Of course, it’s really embarrassing if it’s a mundane cause such as an employee falling victim to an obvious phishing attack from a foreign warlord with cash to spare. Regardless of the reason, the cause is disclosed and the court of public opinion will decide your fate. If you’re really lucky (or unlucky, depending on your perspective) a president will tweet in your favor.
4. Share Security Improvements
What have you done to ensure a similar breach will not occur? This often depends on breach severity. Target fired their CEO, for example. Soon after, their CIO resigned. With a 110 million Americans compromised in the breach, a few heads rolled but less severe changes could include:
- The creation of a CIO role if one does not exist.
- Hardening of security by implementing X, Y, and Z after consulting with a third-party security firm
- Hiring additional staff with advanced security training
- Committing to regular penetration testing as security threats evolve
Once the public is aware of changes and the costs involved, they are more likely to remain or return as customers. If customers are aware that security testing is an ongoing process, they tend to appreciate that you are concerned with protecting their data. Make them aware.
There are other considerations that will sway the public. If your brand or organization is beloved, an institution, family-friendly or offers an environment, product or service superior to many, these factors can aid reputation recovery after a breach. Target (an oldie but a prime example) has effectively recovered from its major breach while Uber had more to contend with, with allegations of snooping, hacking and other actions that bolstered negativity. So, if a breach occurs, avoid additional scandals or internal conflicts…
In conclusion, while I hope that you never have to use these suggestions, it is best not to have a breach in the first place. It is your organization’s responsibility to protect customer data. They trusted you with it and expect a proactive rather than reactive approach to security.
Prepare now for a data breach you hope will never happen. Draft or refine your incident response plan. This article from exabeam is worth a read, includes links to several templates and saves you creating documentation from scratch.
Contact a breach forensic expert and ask for details on best practices when a breach is detected (not powering down systems, for example). Blind optimism (“It could never happen to us”) will not help you if a breach occurs. Assume it will happen and define a process to reduce potential risk. It almost sounds as if it should be in place already, doesn’t it?