Although common in all kinds of organizations and businesses, data breaches still make striking headlines. We all work hard to prevent them, but how should you communicate about data breaches when they happen?
In the Security Bytes series, senior InfoSec professionals give their most savvy advice. This time, I asked several cybersecurity experts with incident response experience:
If your company is hit by a significant data breach and the news becomes public, what should you do?
Some chose to speak under a pseudonym, but all share sound advice that could help save your company’s reputation when, despite your robust work to protect it, a cybercriminal succeeds in accessing your information.
Hire the best PR firm
Principal Security Consultant L0ra thinks a well-coordinated, experienced PR firm can best handle your company’s reputation. She also believes the public responds well when companies admit their mistakes.
“The biggest mistake companies make is glossing over their failures, but breaches happen every day. It isn’t the first time. It won’t be the last.
“If the breach is large and public, immediately hire the best PR firm you can afford.
“Sometimes, in response to a data breach, you get a raid. That’s when a group of people comes at you on the internet. The number one rule for dealing with a raid is, log off and keep quiet. So you need a good PR firm to speak on your behalf.”
Communicate through the right people, and learn from mistakes
Ray Hayes is Senior Software Engineer, Enterprise and Security at Microsoft. He highlights the importance of knowing who you’re speaking with and learning from mistakes.
“I don’t speak about any incident off-the-cuff. I refer all inquiries to my leadership team.
“If I’m asked informally about a major data breach or any other incident at my company, I make conversation, but keep it general, and make sure I know who I’m talking to.
“Breach response is critical, but prevention is key.
In tech, even if you don’t think you’re in security, you are.
“Anyone starting a new job should think, “What could happen if the information I’m working on now was released?'”
Involve everyone in planning – before it happens
Security engineer Daniel says responding to data breaches must involve more than just the technical people. You need legal experts and business communicators too.
“All companies should prepare for data breaches, especially those with data worth stealing. Small- and medium-sized businesses (SMBs) more often don’t recognize the threat.
“Before it happens, get everyone involved in making a crisis plan, not just IT. It’s not only a technical problem. Involve legal, finance, safety and everyone else. They have valuable insight tech people often don’t, and will have their own tasks to do when it happens.”
Tell customers affected, quickly and honestly
James O, Director of Information Security, says informing your customers truthfully is a must.
“Our insurance company gives us a Breach Coach to help our PR firm get the messages right. We also coordinate with internal communications to inform the families we serve, and start telling affected people as quickly as possible. We also report under our state data breach laws.
“Companies could improve their data breach PR. When my data was accessed in a financial company’s breach, I just got a form letter saying, here’s your year of identity protection.
“At least they included the root cause – leaving generic credentials on a public box – but that doesn’t give me confidence that it won’t happen again.”
Avoid the ‘sophisticated attack’ cliché
Security Analyst http_error_418 says PR is vital, but companies must stop exaggerating cyberattackers’ skills.
“Companies often handle breaches with platitudes. They’ll say the attacker was ‘advanced’ and ‘sophisticated.’ That’s because, when it’s later shown their app wasn’t patched for eight years, investors are over the initial fright.
“We also need to consider when transparency helps, and when it’s overkill.
Most decision-makers don’t value transparency enough and focus too much on public perception, but sometimes it’s better to be low key.
“The public often don’t fully understand what transparency reveals.”
Update regularly and learn from the best
Cyber Threat Intel Analyst HackerPom points to an example of good practice.
“When they know the facts, executives, PR and legal should give the media and customers regular updates. For a good example, look at Norsk Hydro’s response to a bad data breach. Their communications were clear and straightforward.”
Better to overstate than understate the impact
Joonatan Kauppi, Founder and CEO of Leijona Security, has several pieces of good advice.
“If you’re unsure of the impact, it’s better to overstate than understate. If you downplay it, then word breaks that it’s much more serious, you’ll get worse press.
“Bring the regulatory authorities into the loop straight away.
“Inside the organization, start damage control, and don’t skimp on costs. Gather the facts and inform your communicators.
“Answer questions from security researchers and other InfoSec people. They ask the right stuff and are a good platform to communicate what happened. “Prepare for the flurry of questions you’ll get from people or parties affected. Don’t blame. Concentrate on reducing the impact of the breach.”
Make sure your plan fits all scenarios
David Emm, Principal Security Researcher at Kaspersky, says to make sure you’re planning for the full range of data that might be breached.
“Balance technical and PR in responding to a breach. You can only do this well if you have a process for managing security incidents. Involve the right people across the organization – including IT, HR, legal and PR – and work out a plan before anything happens.
“Make sure your plan is enduring and wide-ranging, not developed in response to a particular incident.”
The light of experience
There are strong themes from these experts when it comes to how to communicate around data breaches.
I’m hearing almost everyone say, plan for how you’ll respond before it happens, involving people across the organization. Several say, to use the best PR available, and communicate with speed, honesty and regularity.
By sharing the right information at the right time, in the right way, you’ll get the right outcome: customers understanding how they’re affected, and appreciating what you’ve learned.
Article reflects the opinions of the author and speakers quoted. Published in 2019.