Over the past several years heads of information security have had the opportunity to learn from dozens of high profile organizations as they have had to respond to massive data breaches. Just as we watched Tylenol set the gold standard for crisis management a generation ago, we are evaluating how organizations respond to breaches today. What we have learned from many organizations starting with eBay in 2014, Sony and others is what not to do.
Critical mistakes, especially the four I will discuss here are certain to not only damage your brand in the eyes of your customers, but also disengage your employees and impair the trust of your organization’s leaders.
Related post: Best Practices for Building an Incident Response Plan
Your customers, employees, and shareholders need to learn about the breach or attack from the leader or spokesperson of the company first. This isn’t always easy, because as we know from the Verizon Data Breach Report many of the breaches are found by law enforcement before they are discovered by the IT Security team. That said, companies need to form a crisis committee with the executive team as soon as possible, understand what steps they are capable of taking to protect and inform their customers and take action.
Even excellent companies like eBay freeze when they learn of a breach and delay their response, respond too slowly and with incorrect information, or respond with no solution for the customer. Currently, the media is anxious to bring these colorful cybersecurity stories to the public and often their stories don’t position organizations in the best light. Companies need to respond professionally, with a plan, with their customers in mind, and they need to do it quickly.
When you search for the gold standard in how to respond to a breach, one of the most critical components of a response plan is effective post-incident communication or, in other words, communicating clearly about the breach and having a plan. How many times have organizations had to restate the number of records stolen in a breach or the type of personal information that was compromised? The answer is dozens and fundamentally this information, while important in terms of security is not important to your customers so there is no need to provide every specific.
What is important to your customers is the steps you are taking to fix the problem and earn back their trust. A trained forensic investigator should be available either externally or within your incidence response team to maintain a chain of custody of the evidence and to understand exactly how the attack circumvented your security, what information was exfiltrated or compromised, and ultimately how it may affect your customers.
Fool me once, shame on you, fool me twice, shame on me. In a variety of surveys that have been conducted by various reputable media organizations focused on the security industry, approximately 66% of customers said they would not do business with an organization that had been breached. The reality based on what we have seen from the Target, Home Depot, and other large retail breaches is that large retailers will lose some customers because of a breach but small retailers may lose significant numbers.
Thus, the smaller you are as an organization the more you need to understand your strengths and weaknesses from a security posture point of view. IT Security leaders need to understand the threats in their industry, last year it was ransomware in healthcare for example, and figure out which people, processes, and technology they need to upgrade to minimize the threat. Your customers may give you a second chance if you are breached and respond correctly, but you won’t likely get a third.
Obviously this discussion is about how organizations can better protect and ultimately earn the trust of their customers. When leaders of organizations emerge through the clouds of smoke from a semi-catastrophic breach and they discuss shareholders, Russians, and advanced persistent malware, customers become uneasy and pull their business, unsubscribe, or delete their customer loyalty information. On the other hand, when leaders discuss insuring customer losses, outlets for customer information or solutions, and how the company will focus on better protection customers are put more at ease.
That said, company leaders do need to speak intelligently about where they are as a security organization from a maturity standpoint, where they want to be, and the critical success factors they need to achieve to be successful. Security industry maturity models allow IT security executives to speak clearly to internal stakeholders as well as customers about what they can expect and why they should feel protected and proud to be a customer of their company.
Security attacks and breaches are now part of life. In 2016, we had thousands and the number that were executed in order to commit fraud are growing at a rate approaching 50%. Thus, organizations need to be adept at responding to breaches in order both protect their customer and put them at ease in the event any personal information is compromised.