Note: This is the second part of a series called “You’ve been hacked, now what?”. Click here to read the first part of the series, “How to communicate effectively after a security incident” to learn more about effective response after a data breach.
“There are only two types of companies, those who got hacked and those who will be.” – Robert Mueller, Former Director of the Federal Bureau of Investigation
While organizations have understood the need for effective cybersecurity protection, many are still struggling to properly respond to a security incident. We’ve put together a list of 5 mistakes that you should avoid when responding to a data breach.
Related post: Data Breach Notification Laws
If the security incident affects your customers or partners, it is critical to understand what you know and what you don’t know about the breach in order to strategize an appropriate response. Executives obviously want to put their customers and partners at ease. However, having to retract your original message with new information may cause unnecessary angst. In 2017, Yahoo CEO Marissa Meyer recently lost millions in bonuses because of her handling of the infamous Yahoo breaches, not only because of the organization’s inaccurate communication of facts but also because of its delayed responses.
In this context, the timing of post-incident communications should be adjusted depending on who you communicate to and how soon they will need to be informed (Centre for Cyber Security Belgium, 2015).
Often times, CISOs are so overwhelmed by the aftermath of a breach that they communicate too slowly with relevant stakeholders. One textbook example of communicating too slowly after a security incident is retail giant Target. After publicly disclosing its breach via a press release in December 2013, Target waited over a month to personally advise customers of the breach. Meanwhile, millions of customers followed the drama on television and social media, not knowing whether or how they would be affected by the breach.
If you communicate too late, you may lose stakeholder trust in your credibility and ability to handle security incidents in a timely manner.
At the same time, the pressure to communicate all relevant details as early as possible can incite CISOs to divulge information too hastily. If you communicate too early, you may be sharing incomplete, inconsistent or inaccurate information, which can “generate confusion and [even result in] a loss of faith in the company”.
“How a company communicates is just as important as what it says.” – Fortress Strategic Communications
Now more than ever, we’ve understood that “no locale, industry or organization is bulletproof when it comes to the compromise of data” (Verizon’s Data Breach Investigations Report 2016). Although it has become common knowledge that cyberattacks are here to stay, too many organizations are still lacking the necessary customer-centric approach and don’t formally apologize for putting their customers at risk. A data breach is a worrisome, unexpected and sometimes even traumatic experience for customers, and not saying that you’re sorry may have devastating consequences.
According to Harvard Business Review (2015), “companies and their leaders fail to apologize effectively, if at all, which can severely damage their reputations and their relationships with stakeholders”. Regardless of whether your organization is to blame for the data breach due to insufficient cybersecurity controls, limited security spending or a negligent employee, you will have to be ready to say that you’re sorry no matter what.
“In the hours and initial couple of days after a breach has been discovered, there is usually only one priority: Fix the breach, at all costs. Stop the bleeding.” – CIO Online
Related post: Best Practices for Building an Incident Response Plan
A thoroughly-outlined breach response plan plays an important role in minimizing the negative impact of a data breach and can increase an organization’s chances to navigate a crisis with relative ease. Let’s just imagine that you’ve just found out about being the victim of a major data breach. What are you going to do? Who will help you in conducting post-breach activities? What are your legal obligations? How can you communicate with your stakeholders? When do you need to do so? And most importantly, will you have the time to answer these questions while trying to stop the bleeding?
These questions (and many more) should be addressed in a comprehensive breach response plan, which needs to be drafted and approved before a data breach happens and not when it has already occurred, according to Maya Pattison (Barkly, 2017). In the wake of a data breach, the last thing you’ll want to do is sit down to write up a formal response plan for what to do after a breach. Instead, make sure to have full executive understanding, sign off and support for implementing your plan immediately after you’ve been breached. This way, you’ll be able to deal with the data breach with a clear mind and won’t have to worry about forgetting important milestones, information and best practices in the process.
Data breaches can have severe legal implications, and getting legal involved at an early stage has proven to be crucial for recovering quickly from a security incident. According to the 2016 Data Breach Litigation Report, 83 class action lawsuits involving data security breaches were filed in the United States in 2016, i.e. about 5% of all publicly reported breached that were disclosed.
If your organization is at risk of facing data breach litigation, make sure to include your legal division in your crisis communications team for early guidance, or solicit the help of external legal advisors to properly handle any legal implications for your organization, such as identify theft, credit card fraud or other privacy violations.
“All men make mistakes, but only wise men learn from their mistakes.” – Winston Churchill, former Prime Minister of the United Kingdom
No organization is immune to data breaches, but all organizations have the opportunity to learn from their mistakes. According to the SANS Institute (2011), the incident handling process can be broken down into six phases: Preparation, Identification, Containment, Eradication, Recovery and – the most critical of all – Lessons Learned.
The National Institute of Standards and Technology recommends scheduling a lessons-learned meeting after each major security incident to identify and analyze your mistakes, take stock of what happened and evaluate how your team has dealt with mitigating the impact of a data breach. By making the lessons-learned phase a central element of your post-breach activities, you can not only improve the performance of your team and establish benchmarks for potential future crises but also provide valuable training and reference materials (Bejtlich, 2005).
One final note: Don’t be surprised if your lessons-learned phase unveils a myriad of elements that your organization needs to improve or to change in order to strengthen its security posture. This can include the need for organization-wide employee security awareness training, 24/7 monitoring of your network infrastructure, timely incident handling activities, regular penetration testing, or a comprehensive security posture assessment.
Whatever the outcomes of your evaluation, make sure to take them seriously and solicit the help of capable experts to help you determine how you can better protect your business against data breaches.
Want to find out more about how your organization can better respond to security incidents on a 24/7 basis? Check out our business case below to learn more about the value of managed security services and incident response management for protecting your organization’s data.