{"id":32193,"date":"2020-01-24T07:19:19","date_gmt":"2020-01-24T12:19:19","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=32193"},"modified":"2021-03-15T05:07:36","modified_gmt":"2021-03-15T09:07:36","slug":"security-bytes-privacy-reputation","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/security-bytes-privacy-reputation\/32193\/","title":{"rendered":"How to build customer trust when a data breach happens"},"content":{"rendered":"

Although common in all kinds of organizations and businesses, data breaches<\/a> still make striking headlines. We all work hard to prevent them, but how should you communicate about data breaches when they happen?<\/p>\n

In the Security Bytes series<\/a>, senior InfoSec professionals give their most savvy advice. This time, I asked several cybersecurity experts with incident response experience:<\/p>\n

If your company is hit by a significant data breach and the news becomes public, what should you do?<\/p>\n<\/blockquote>\n

Some chose to speak under a pseudonym, but all share sound advice that could help save your company\u2019s reputation when, despite your robust work to protect it, a cybercriminal succeeds in accessing your information.<\/p>\n

Hire the best PR firm<\/h2>\n

Principal Security Consultant L0ra thinks a well-coordinated, experienced PR firm can best handle your company\u2019s reputation. She also believes the public responds well when companies admit their mistakes.<\/p>\n

\u201cThe biggest mistake companies make is glossing over their failures, but breaches happen every day. It isn\u2019t the first time. It won\u2019t be the last.<\/p>\n

\u201cIf the breach is large and public, immediately hire the best PR firm you can afford.<\/p>\n

\u201cSometimes, in response to a data breach, you get a raid<\/em>. That\u2019s when a group of people comes at you on the internet. The number one rule for dealing with a raid is, log off and keep quiet. So you need a good PR firm to speak on your behalf.\u201d<\/p>\n

Communicate through the right people, and learn from mistakes<\/h2>\n

Ray Hayes is Senior Software Engineer, Enterprise and Security at Microsoft. He highlights the importance of knowing who you\u2019re speaking with and learning from mistakes.<\/p>\n

\u201cI don\u2019t speak about any incident off-the-cuff. I refer all inquiries to my leadership team.<\/p>\n

\u201cIf I\u2019m asked informally about a major data breach or any other incident at my company, I make conversation, but keep it general, and make sure I know who I\u2019m talking to.<\/p>\n

\u201cBreach response is critical, but prevention is key.<\/p>\n

In tech, even if you don\u2019t think you\u2019re in security, you are.<\/p>\n<\/blockquote>\n

\u201cAnyone starting a new job should think, \u201cWhat could happen if the information I\u2019m working on now was released?'\u201d<\/p>\n

Involve everyone in planning \u2013 before<\/em> it happens<\/h2>\n

Security engineer Daniel says responding to data breaches must involve more than just the technical people. You need legal experts and business communicators too.<\/p>\n

\u201cAll companies should prepare for data breaches, especially those with data worth stealing. Small- and medium-sized businesses (SMBs) more often don\u2019t recognize the threat.<\/p>\n

\u201cBefore it happens, get everyone involved in making a crisis plan<\/a>, not just IT. It\u2019s not only a technical problem. Involve legal, finance, safety and everyone else. They have valuable insight tech people often don\u2019t, and will have their own tasks to do when it happens.\u201d<\/p>\n

Tell customers affected, quickly and honestly<\/h2>\n

James O, Director of Information Security, says informing your customers truthfully is a must.<\/p>\n

\u201cOur insurance company gives us a Breach Coach to help our PR firm get the messages right. We also coordinate with internal communications to inform the families we serve, and start telling affected people as quickly as possible. We also report under our state data breach laws.<\/p>\n

\u201cCompanies could improve their data breach PR. When my data was accessed in a financial company\u2019s breach, I just got a form letter saying, here\u2019s your year of identity protection.<\/p>\n

\u201cAt least they included the root cause \u2013 leaving generic credentials on a public box \u2013 but that doesn\u2019t give me confidence that it won\u2019t happen again.\u201d<\/p>\n

Avoid the \u2018sophisticated attack\u2019 clich\u00e9<\/h2>\n

\"security
\nSecurity Analyst http_error_418 says PR is vital, but companies must stop exaggerating cyberattackers\u2019 skills.<\/p>\n

\u201cCompanies often handle breaches with platitudes. They\u2019ll say the attacker was \u2018advanced\u2019 and \u2018sophisticated.\u2019 That\u2019s because, when it\u2019s later shown their app wasn\u2019t patched<\/a> for eight years, investors are over the initial fright.<\/p>\n

\u201cWe also need to consider when transparency<\/a> helps, and when it\u2019s overkill.<\/p>\n

Most decision-makers don\u2019t value transparency enough and focus too much on public perception, but sometimes it\u2019s better to be low key.<\/p>\n<\/blockquote>\n

\u201cThe public often don\u2019t fully understand what transparency reveals.\u201d<\/p>\n

Update regularly and learn from the best<\/h2>\n

Cyber Threat Intel Analyst HackerPom points to an example of good practice.<\/p>\n

\u201cWhen they know the facts, executives, PR and legal should give the media and customers regular updates. For a good example, look at Norsk Hydro\u2019s response to a bad data breach<\/a>. Their communications were clear and straightforward.\u201d<\/p>\n

Better to overstate than understate the impact<\/h2>\n

Joonatan Kauppi, Founder and CEO of Leijona Security, has several pieces of good advice.<\/p>\n

\u201cIf you\u2019re unsure of the impact, it\u2019s better to overstate than understate. If you downplay it, then word breaks that it\u2019s much more serious, you\u2019ll get worse press.<\/p>\n

\u201cBring the regulatory authorities into the loop straight away.<\/p>\n

\u201cInside the organization, start damage control, and don\u2019t skimp on costs. Gather the facts and inform your communicators.<\/p>\n

\u201cAnswer questions from security researchers and other InfoSec people. They ask the right stuff and are a good platform to communicate what happened. \u201cPrepare for the flurry of questions you\u2019ll get from people or parties affected. Don\u2019t blame. Concentrate on reducing the impact of the breach.\u201d<\/p>\n

Make sure your plan fits all scenarios<\/h2>\n

David Emm, Principal Security Researcher at Kaspersky, says to make sure you\u2019re planning for the full range of data that might be breached.<\/p>\n

\u201cBalance technical and PR in responding to a breach. You can only do this well if you have a process for managing security incidents. Involve the right people across the organization \u2013 including IT, HR, legal and PR \u2013 and work out a plan before anything happens.<\/p>\n

\u201cMake sure your plan is enduring and wide-ranging, not developed in response to a particular incident.\u201d<\/p>\n<\/blockquote>\n

The light of experience<\/h2>\n

There are strong themes from these experts when it comes to how to communicate around data breaches.<\/p>\n

I\u2019m hearing almost everyone say, plan for how you\u2019ll respond before it happens, involving people across the organization. Several say, to use the best PR available, and communicate with speed, honesty and regularity.<\/p>\n

By sharing the right information at the right time, in the right way, you\u2019ll get the right outcome: customers understanding how they\u2019re affected, and appreciating what you\u2019ve learned.<\/p>\n

Article reflects the opinions of the author and speakers quoted. Published in 2019.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Every day, you work to prevent data breaches. One day, you know the cyberattackers will succeed. How can you save your business reputation when the inevitable happens?<\/p>\n","protected":false},"author":2531,"featured_media":32196,"template":"","coauthors":[3535],"class_list":{"0":"post-32193","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-data-breaches","7":"emagazine-category-opinions","8":"emagazine-category-security-bytes","9":"emagazine-category-transparency","10":"emagazine-tag-communication","11":"emagazine-tag-cybersecurity","12":"emagazine-tag-data-security","13":"emagazine-tag-incident-response","14":"emagazine-tag-privacy","15":"emagazine-tag-professional-advice","16":"emagazine-tag-security-bytes","17":"emagazine-tag-trust"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/security-bytes-privacy-reputation\/32193\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/secure-futures-magazine\/security-bytes-privacy-reputation\/21775\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/32193","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2531"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/32196"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=32193"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=32193"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}