4.1.18

Now is the best time to craft your breach response



I hope you’re reading this at a time when you’re not in the midst of a response to an actual breach, but rather for your own edification, during a time of relative peace and quiet. If people are out there doing internet searches on “what to do after a breach” to learn what to do after experiencing a dire emergency, I suspect computer security problems are merely one symptom of their professional woes. Whether or not you’ve yet been hacked, the best time to start designing and practicing your breach response is long before an attack has been discovered. There’s no time like the present to get started preparing for an emergency.
After perusing the recent Ernst & Young Global Information Security Survey it was apparent to me that being unprepared for data breaches is a very common problem for all sorts of organizations. According to the survey’s respondents, 56 percent say either that they have made changes to their business strategies to take account of the risks posed by cyberthreats, or that they are about to review strategy in this context. However, only four percent of organizations are confident they have fully considered the information security implications of their current strategies and that their risk landscape incorporates all relevant risks and threats. While this may in part speak to the complexity of the threat landscape, this shows how many organizations feel completely overwhelmed by the enormity of the task.
Indeed, 35 percent of the survey’s respondents describe their data protection policies as ad-hoc or non-existent.  Although most organizations do have some processes in place for determining if they’ve been attacked – only 12 percent had no breach detection program in place – many organizations may be confused about their legal responsibilities: 17 percent of respondents say they would not notify all customers, even if a breach affected customer information, and 10 percent would not even notify customers impacted. There are few countries where this would not result in potentially catastrophic regulatory or legal fines, not to mention loss of customer loyalty.
The most moral, ethical and logical way to deal with risk is not to keep quiet about it and hope no one notices. To horribly modify the old adage for our purposes; the best way to eat a whale is to do it one bite at a time, not to try to hide it under the carpet until the stinking carcass causes everyone to flee.
Taking time to think logically and deliberately about your assets can help you determine what needs to be secured. Preparing for the worst can help you see the best course of action to prevent those emergencies in the present.
“Creating a template response in advance will allow emergency responders to focus on providing accurate and timely information”
I’m sure we’ve all seen some variation on the theme of Public Service Announcements where we’re encouraged to prepare a kit full of things that are useful in an emergency, whether that’s fire or earthquakes or our car breaking down in a snowstorm. While data breaches may be somewhat less “life or death” than any of these situations, that does not mean we should postpone dealing with them until we’re in the midst of an emergency.
As we have just said farewell to 2017, we have to admit that the last year has brought plenty of painful examples of companies responding sub-optimally to their own breach events, which made the reputational consequences much more severe. As with any sort of crisis, the more information and awareness you have going into the crisis, the less overwhelming and painful it is to get past it. This holds true whether you’re the primary target of the attack or a customer whose information was stolen.
Here are a few things to gather when planning your breach preparedness kit:
Make a list of steps to take and keep it updated
This list is analogous to the information you would give to a babysitter. Who needs to be contacted in case of emergency, and in what order? What actions need to be accomplished, in what specific circumstances? This post by my esteemed colleague Denise Giusto Bilić can help you understand the types of actions that need to be completed, which you can then tailor to the needs of your own organization.
That list needs to be updated regularly so that you’re not giving instructions for processes that no longer exist, or asking emergency responders to contact someone who has moved on to another position, who has left the company, or is on vacation. It needs to be kept (encrypted, to keep it from thieves’ prying eyes, please!) somewhere that is easy to find and revise, so people don’t have to spend precious time scrambling to unearth it.
Informational messaging
Unsurprisingly, messaging that announces bad news is a very delicate and sensitive task. This is maybe not a task you want to delegate to someone in the midst of a chaotic situation, and it is definitely something you should be creating in consultation with your legal department or an attorney who has experience in Data Breach Notification law. Creating a template response in advance will allow emergency responders to focus on providing accurate and timely information.
Many companies err on the side of waiting to notify people until investigations are over, which tends to leave customers feeling quite resentful. Even before you have all the information about what has occurred, you can let people know that there has been a problem so that they can take steps to protect themselves. Don’t underestimate the power of the warm fuzzies that can be gained by regular updates to your affected customers, even if those missives don’t provide much in the way of new information. Suffice it to say it’s a good idea to run any text by an editor so you don’t end up sending something out that still has place-holder text.
Remember that customers often see data breaches as a breach in trust; you need to keep them updated regularly with current information as a part of rebuilding that trust.
Breach response website
“As with any sort of crisis, the more information and awareness you have going into the crisis, the less overwhelming and painful it is to get past it”
As with a message template, it’s a good idea to have a webpage set up and stored (almost) ready to go, so that most of the heavy lifting is already done. This will save time and reduce potential errors, since you can thoroughly check and test code and assess the clarity of your text at a time pre-breach when people are still presumably calm and collected. Whether you choose to use a whole separate domain or just a page on your existing site, make this decision beforehand and communicate it clearly when an emergency arises. It is a good idea to keep the URL fairly short so that it can be easily sent on a variety of different messaging platforms, or read on short radio or television clips.  It is probably a good idea to register any domains that sound similar or might be mis-typed in order to reduce phishing and scams by criminals.
Customer protection measures
After data breaches, companies often offer improved security measures to their customers, to help mitigate any harm that might have been caused. In the case of credit monitoring, it does make sense to offer this only after an attack has occurred. But if you are prepared to consider offering something like improved authentication options after a breach, you can save yourself the significant cost of reputation loss by adding those options before a problem happens. Implementing and then advertising your use of security- and privacy-enhancing measures can be a market differentiator to improve brand loyalty. Most people may not understand Salting & Hashing or Network Segmentation, but they will appreciate knowing that no one else can access their passwords and other sensitive information.
Test your policies and procedures
Once or twice a year, test your data breach response program by simulating an incident, and go through the steps of responding to a mock-incident, short of actually notifying customers and other external organizations. Some businesses already do this in concert with crisis management consultants. Injecting some scenarios from case-studies of other companies’ data breaches can make yours more realistic and help better prepare your business. Keep in mind that these tests will likely prompt you to consider making changes in your policies and procedures; in fact, it is desirable to make (and thoroughly re-test!) thoughtful modifications that suit your environment. When you put such ideas into practice, you may find ways to make your emergency response more effective and efficient as well.
No business is too big or too small to be a target of attacks. If you have any sort of information that is of value to anyone – whether or not you understand how that data can be monetized or weaponized – there is a criminal out there who would be happy to