Post-breach lessons: get the CEO to do the work

Cyber attacks are making headlines around the world several times a day.  JPMorgan was breached in August, and hackers obtained the names, phone numbers, email and postal addresses of 76 million customers and seven million SMEs after a phishing attack compromised an employee’s credentials.

How your company responds to such an attack is often the deciding factor in whether or not you will contain the damage and subsequent fall-out.

Following a recent eBay cyber attack, the BBC reported that a customer had alerted the auction site to the attack, but the firm only addressed the compromise more than 12 hours later, after the BBC called to check on the issue first.

  1. Rapid response is key. Like any crisis, waiting too long to disclose the news will only cause more damage.  Crisis communication lessons tell us that acting quickly will save you from the press jumping in first with guns blazing.
  2. Get the CEO involved. A public statement, offering as much information as possible, is critical.  Getting a PR firm to do this isn’t sufficient, the experts say.  People want reassurance that the CEO is hard at work trying to get the problem sorted out fast.
  3. Be honest, even if you don’t know what the reasons are behind the breach. Reveal the facts and explain that you are working hard to fix the problem. If your company has done everything reasonably possible to manage and maintain its information security management system, then “your organisation is a victim too”, according to Neal O’Farrell, Security and Identity Theft Expert for “If you share the anger your customers are feeling, you can help make a powerful connection with them.”
  4. O’Farrell also advises companies to set up a data breach response centre that provides customers with relevant information, including a helpline.*
  5. Although simply spending more on security does not necessarily imply better security, a higher cyber security budget could be used to help restore faith in your business. Smarter companies are starting to protect their assets based on those that are most at risk. JPMorgan indicated that it would double its cyber security spend following the incident.  Some might see this as a PR stunt but experts agree that this will generally be seen as a positive move, and will contribute to mitigating any reputational damage suffered by the company.
  6. Security can’t be fixed by money alone. Concerted education and awareness programmes at all levels of the business is an essential and logical response.
  7. A consistent commitment to prioritising the cyber security budget. Post-breach, companies may feel the need to spend more on cyber security, but this bullish approach to cyber security often fizzles out after the effects of the breach have faded.  New vulnerability and threat detection capabilities, security awareness training and forensic incident management will all help facilitate an enhanced culture of cyber security, but without a sustainable budget to support these interventions, the best laid plans will be futile.
  8. A proactive approach to information security, using an all-encompassing solution like ISO27001, is vital. Businesses need to implement adequate security intelligence mechanisms to monitor activity across their networks so that any suspicious activity can be identified and addressed quickly.

Hackers will find clever ways to access your data; cyber attacks are now being seen as an inevitable event that must be anticipated, and for which companies must prepare in order to contain the potential damage.

Find out about IT Governance’s practical solutions to ISO27001, available anywhere in the world.  IT Governance also provides a convenient approach for achieving improved cyber security, including Cyber Essentials certification options.