By Lysa Myers
I hope you’re reading this at a time when you’re
not in the midst of a response to an actual breach, but rather for your own
edification, during a time of relative peace and quiet. If people are out there
doing internet searches on “what to do after a breach” to learn what to do
after experiencing a dire emergency, I suspect computer security problems are
merely one symptom of their professional woes. Whether or not you’ve yet
been hacked, the best time to start designing and practicing your breach
response is long before an attack has been discovered. There’s no time like the
present to get started preparing for an emergency.
After perusing the recent Ernst & Young Global Information Security Survey it was apparent to me that
being unprepared for data breaches is a very common problem for all sorts of
organizations. According to the survey’s respondents, 56 percent say either
that they have made changes to their business strategies to take account of the
risks posed by cyberthreats, or that they are about to review strategy in this
context. However, only four percent of organizations are confident they have
fully considered the information security implications of their current
strategies and that their risk landscape incorporates all relevant risks and
threats. While this may in part speak to the complexity of the threat
landscape, this shows how many organizations feel completely overwhelmed by the
enormity of the task.
Indeed, 35 percent of the survey’s respondents
describe their data protection policies as ad-hoc or non-existent.
Although most organizations do have some processes in place for
determining if they’ve been attacked – only 12 percent had no breach
detection program in place – many organizations may be confused about their
legal responsibilities: 17 percent of respondents say they would not
notify all customers, even if a breach affected customer information, and 10
percent would not even notify customers impacted. There are few
countries where this would not result in potentially catastrophic regulatory or
legal fines, not to mention loss of customer loyalty.
The most moral, ethical and logical way to deal
with risk is not to keep quiet about it and hope no one notices. To horribly
modify the old adage for our purposes; the best way to eat a whale is to do it
one bite at a time, not to try to hide it under the carpet until the stinking
carcass causes everyone to
flee.
Taking time to think logically and deliberately
about your assets can help you determine what needs to be secured. Preparing
for the worst can help you see the best course of action to prevent those
emergencies in the present.
“Creating a template
response in advance will allow emergency responders to focus on providing
accurate and timely information”
I’m sure we’ve all seen some variation on the theme
of Public Service Announcements where we’re encouraged to prepare a kit full of
things that are useful in an emergency, whether that’s fire or earthquakes or
our car breaking down in a snowstorm. While data breaches may be somewhat less
“life or death” than any of these situations, that does not mean we should
postpone dealing with them until we’re in the midst of an emergency.
As we have just said farewell to 2017, we have to
admit that the last year has brought plenty of painful
examples of companies responding sub-optimally to their own
breach events, which made the reputational consequences much more severe. As
with any sort of crisis, the more information and awareness you have going into
the crisis, the less overwhelming and painful it is to get past it. This holds
true whether you’re the primary target of the attack or a customer whose
information was stolen.
Here are a few things to gather when planning your
breach preparedness kit:
Make a list of steps to take and keep it
updated
This list is analogous to the information you would
give to a babysitter. Who needs to be contacted in case of emergency, and in
what order? What actions need to be accomplished, in what specific
circumstances? This post by my esteemed colleague Denise Giusto
Bilić can help you understand the types of actions that need to be
completed, which you can then tailor to the needs of your own organization.
That list needs to be updated regularly so that
you’re not giving instructions for processes that no longer exist, or asking
emergency responders to contact someone who has moved on to another position,
who has left the company, or is on vacation. It needs to be kept (encrypted, to keep it from thieves’ prying eyes, please!)
somewhere that is easy to find and revise, so people don’t have to spend
precious time scrambling to unearth it.
Informational messaging
Unsurprisingly, messaging that announces bad news
is a very delicate and sensitive task. This is maybe not a task you want to
delegate to someone in the midst of a chaotic situation, and it is definitely
something you should be creating in consultation with your legal department or
an attorney who has experience in Data Breach Notification law. Creating a
template response in advance will allow emergency responders to focus on
providing accurate and timely information.
Many companies err on the side of waiting to notify
people until investigations are over, which tends to leave customers feeling
quite resentful. Even before you have all the information about what has
occurred, you can let people know that there has been a problem so that they
can take steps to protect themselves. Don’t underestimate the power of the warm fuzzies that can be gained by regular updates to your
affected customers, even if those missives don’t provide much in the way of new
information. Suffice it to say it’s a good idea to run any text by an editor so
you don’t end up sending something out that still has
place-holder text.
Remember that customers often see data breaches as
a breach in trust; you need to keep them updated regularly with current
information as a part of rebuilding that trust.
Breach response website
“As with any sort of
crisis, the more information and awareness you have going into the crisis, the
less overwhelming and painful it is to get past it”
As with a message template, it’s a good idea to
have a webpage set up and stored (almost) ready to go, so that most of the
heavy lifting is already done. This will save time and reduce potential errors,
since you can thoroughly check and test code and assess the clarity of your
text at a time pre-breach when people are still presumably calm and collected.
Whether you choose to use a whole separate domain or just a page on your
existing site, make this decision beforehand and communicate it clearly when an
emergency arises. It is a good idea to keep the URL fairly short so that it can
be easily sent on a variety of different messaging platforms, or read on short
radio or television clips. It is probably a good idea to register any
domains that sound similar or might be mis-typed in order to reduce phishing
and scams by criminals.
Customer protection measures
After data breaches, companies often offer improved
security measures to their customers, to help mitigate any harm that might have
been caused. In the case of credit monitoring, it does make sense to offer this
only after an attack has occurred. But if you are prepared to consider offering
something like improved authentication options after a breach, you can save
yourself the significant cost of reputation loss by adding those options before
a problem happens. Implementing and then advertising your use of security- and
privacy-enhancing measures can be a market differentiator
to improve brand loyalty. Most people may not understand Salting &
Hashing or Network
Segmentation, but they will appreciate knowing that no one else
can access their passwords and other sensitive information.
Test your policies and procedures
Once or twice a year, test your data breach
response program by simulating an incident, and go through the steps of
responding to a mock-incident, short of actually notifying customers and other
external organizations. Some businesses already do this in concert with crisis
management consultants. Injecting some scenarios from case-studies of other
companies’ data breaches can make yours more realistic and help better prepare
your business. Keep in mind that these tests will likely prompt you to consider
making changes in your policies and procedures; in fact, it is desirable to
make (and thoroughly re-test!) thoughtful modifications that suit your
environment. When you put such ideas into practice, you may find ways to make
your emergency response more effective and efficient as well.
No business is too big or too small to be a target
of attacks. If you have any sort of information that is of value to anyone
– whether or not you understand how that data can be monetized
or weaponized – there is a criminal out there who would be happy to