Part of my job is to write about data breaches, which means I spend a lot of time reading news releases from companies that have got something wrong and are urgently trying to deal with the consequences of their mistakes.
As the vast majority of companies don’t think about data breach management until it’s too late, very few data breaches are handled well. But how can you handle them well? How do you tell your customers that you’ve made a mistake and lost their data to criminals? You can hardly expect them to say “Hey man, you tried. It’s fine – at least you’re sorry.”
Don’t let them hear it from someone else
Something that every organisation should fear is a phone call from Brian Krebs. If he calls you, then it’s highly likely that your customers’ data is somewhere it shouldn’t be. And if Brian believes there’s a possible data breach, he’ll write about it – and so he should. I can’t remember a time he was wrong.
You need to be the one who lets your customers know that their data has been stolen, but this is only possible if you already have the resources to monitor where your data is – or have your own Brian Krebs.
If you suspect you’ve suffered a data breach then you need to be quick to gather whatever facts you can and let your customers know what you know.
If you’re beaten to the punch by a journalist then you need to react quickly: silence is the worst response.
Tell them what they need to know
In my experience, roughly 90% of announcements from breached organisations contain the following three phrases:
- we were the victim of a sophisticated cyber attack and are notifying our customers out of an abundance of caution
- Security is our number one concern
- Just like most companies these days, we’ve suffered a breach
Security professionals know there is no such thing as 100% security, and breaches hit even the best prepared organisations. So, when a breached organisation says that security is its number one concern, there is the small possibility that it actually is and the company was just unfortunate – unlikely as that might seem.
However, customers don’t care about how much a breached company was concerned about security – to them a company is either secure or not, and that’s what’s important.
Customers need to know what data has been taken, what they should do to ensure they are protected and what the company is going to do to help them.
If you crash into someone’s car you don’t lecture them for twenty minutes about the latest collision statistics and explain how seriously you take car safety. You check everyone is okay, give them the details they need and apologise profusely.
Or, if you’re like the OPM, you promptly reverse into a bus.
Don’t hide your mistakes
Graham Cluley often points out how common it is for organisations to hide their data breach announcements in the darkest corners of their websites where they’re unlikely to be seen. This is wrong. There should be a prominent banner on the front page letting customers know that an incident has occurred. Not everybody checks their emails and not everybody reads the news, so how else will a customer know that you’ve lost their data?
Be prepared for next time
If your organisation manages to survive a data breach then it is a good idea to prepare for another one.
A data breach is classified, at least to me, as a disaster. A business continuity plan that includes a disaster recovery plan is something your organisation ought to look into.
ISO 22301, the international business continuity standard, is an effective way to ensure your organisation is prepared for data breaches. Unlike conventional disaster recovery plans, an ISO 22301 business continuity management system grows with the organisation and integrates with other management standards such as ISO 27001 – the information security management standard.
When combined correctly, ISO 27001 and ISO 22301 will help your organisation become cyber resilient.
Download our free paper on cyber resilience and learn how your organisation can prepare for the worst.