Data breaches are getting worse and more expensive every day and it often takes far too long to clean up the mess. Recently the media was inundated with cases of big brands being hacked and millions of personal records were affected. Websites like AdultFinder and Ashley Madison are just two of these high profile cases, and apart from the immeasurable damage such breaches can have on customers, they also deal a big blow to the brand’s reputation.
In the worst of cases, the breach isn’t discovered, even if the data is being put to criminal or evil use right under an organization’s nose. Part of the problem, according to a crisis management consultant at the conference Unintended Consequences: Impacts of the Internet of Things (IoT) & Big Data is that many companies tackle these events all wrong.
“I am going to ask you to throw away every rule of crisis management you have ever known, as we explore how cybercrime is rewriting the crisis management rule book,” said Davia Temin, CEO of Temin and Company in the conference’s keynote address.
Data breaches are also becoming more publicized and damaging to corporate reputations, causing boards of directors to take them far more seriously and hold IT far more accountable. But that isn’t enough, Temin argued. She explained how current crisis management techniques are outdated when compared to the crises they are trying to contain and resolve. “They are static, formulaic and constrained – simply not adequate for the dynamic, nuanced, multi-faceted and ubiquitous nature of cybercrimes today.”
During her keynote speech, Temin explained how cyber crisis management is a combination of crisis management and emergency and terrorist response. There needs to be both internal and external cooperation and communication in play and a scenario where enterprise risk management, business continuity, emergency response, reputation management, and corporate governance are balanced, she argued.
So what to do in an event of a data breach or crisis?
Whether you are a giant multinational corporation, an SMB, sole proprietorship, or end user, you can help to stop breaches and clean up the damage. First, the most pressing problem is discovering the breach. The Poneman Institute found it takes an average of 256 days to find out an organization suffered a breach.
Meanwhile credit card numbers may be exposed, competitors may have an organization’s confidential plans, and personal information may be used for identity theft. Intrusion detection, firewall logs and solutions like an event log manager can all help to identify suspicious activity way earlier. If you have logs, you really must read them to see if anything is askew. Also, if you are a client facing organization make sure you empower your customers to ping you if they see anything suspicious happening with their account.
Second, realize that many breaches come from inside, so treat employees – including your IT staff – just as you would do an outsider. Keep privileges to a minimum and set controls on what data can leave the premises. Privileges are a huge issue – too many users and even outsiders have admin rights and broad access to data.
Third, it’s time to have a solid data backup plan. Just a few weeks back we learned about a company which went out of business because of ransomware. Code Spaces, a seven year old SaaS provider was forced out of business when their Amazon Web Services’ control panel was breached. The attacker locked the company out and demanded a ransom to give back control. When the company didn’t accede to the request, the attacker started deleting data until Code Spaces was left with nothing. It’s a heartbreaking story, but it also highlights the importance of multi-location backups.
Fourth and final point: communicate! If your company suffers a data breach, customers will be at the receiving end but also fired up against you. That is why it is so important that they are notified as early as possible. One way or another, they will find out – and they would rather it came from you than a news organization. Your company’s reputation would already be hanging by a fine thread… how your customers get to know of the breach will contribute towards your company’s chances of survival or demise.
Be frank and honest. Customers deserve the truth, especially if their personal data is compromised. State what happened, when and how you’re dealing with it and how it impacts THEM. Tell them what they can do in the meantime and what recourse they have to protect their interests.
The final step it to tell the world what happened and this is where the crisis management rules and the salvaging of brand reputation Temin talked about come into play.