[BreachExchange] Data Breach Notifications and Why Honesty is the Best Policy
Audrey McNeil
audrey at riskbasedsecurity.com
Wed Apr 25 21:14:16 EDT 2018
https://www.infosecurity-magazine.com/blogs/data-
breach-notifications-honesty/
Data breaches don't discriminate. Businesses of all sizes are affected by
these hugely damaging attacks, which means that more and more customers are
directly feeling their effects.
For businesses, the impact of a data breach is far-reaching, disrupting
organizations both in financial terms and in the way they are perceived by
the general public.
For example, a company with its name splashed across the papers for having
been caught cold by a data breach may find that once-loyal customers are
evaluating their relationship, with a potentially irreparable loss of
trust.
Trust is a valuable thing for customers. We're more connected than ever,
and the sheer volume of sensitive data now available to organizations means
that customers expect a high degree of transparency. Every successful
cyber-attack dents customers' faith in the integrity of digital services,
so it's in a business’s best interest to be as honest with customers as
possible.
This leads us to data breach notifications—the act of businesses alerting
customers to any breach that they've fallen victim to, and taking steps to
remediate the damage. In some regions, like Australia, data breach
notifications are mandatory, while in the UK, under the GDPR, a breach must
be reported if it’s likely to result in a risk to people’s rights and
freedoms.
It’s not hard to see why these measures are being put into place. It
ensures that customers aren't left in the dark with regards to their data.
While some companies may baulk at the idea of telling customers that
they've been targeted by cybercriminals, data breach notifications can work
in a business’s favor, and can be an effective customer retention tactic.
Honesty, it seems, really is the best policy.
Keep your customers
Customer loyalty and trust is far more likely to be earned by businesses
that clearly communicate their commitment to breach notification and prove
that they’ll deliver on it. Customers are savvy, and if you remain
tight-lipped about a data breach, the truth will eventually come out.
If a customer reads about a potentially damaging breach in the news rather
than being informed by the company they are affiliated with, then that
relationship is in for a rough ride.
Data breaches can be damaging to an organization’s finances and reputation.
By showing customers that your business won't be cowed by the attacker
threat and that you'll stand up for what's right, regardless of the cost,
you'll likely be rewarded with trust and respect.
With this in mind, it's clear that data breaches are more than an IT
issue—they are a business issue. Given that the tendrils of an attack are
so far-reaching, it's strange that in many businesses, data breach
notifications are seen as the purview of the IT professional. This is
absolutely not the case.
Know your role
A data breach notification is everyone's responsibility, and it’s up to the
business to let customers know that they have IT professionals working hand
over fist to combat these damaging attacks. For a business as a whole to be
aligned in this, it's important that attacks are identified and the level
of damage is established as quickly as possible. But how can you do this?
First, plan before establishing your defenses. Countless businesses rush in
and purchase “bleeding-edge” defense tools without knowing what they
actually do. Instead, your first step should be identifying your most
sensitive or vulnerable data, and deciding who’s responsible for its
protection. In doing so, you can achieve faster and more stable
implementation than the previously mentioned “headless chicken” approach.
Second, you should invest in monitoring before defenses are established.
Data breach notification is only possible if you know when a breach occurs,
and monitoring is the only way to do that. Security Information and Event
Management (SIEM) software will tell the business when an attack has
occurred, the damage it has inflicted, and if any other systems may still
be at risk.
You should also map your monitoring and reporting strategy to business
priorities as well as the usual suspects, like events logs, USBs, and other
external devices. With business priorities constantly changing, your SIEM
tools need to be able to adapt to keep up.
Finally, constant testing is a must. As you implement your monitoring,
automated reporting, and response systems, you'll likely find that your
initial priorities and strategy aren’t completely accurate. When that
happens, ditch any defenses you don't need and double down on weaker or
more critical areas.
Remember to update the rest of the business when you adjust your defenses.
Otherwise, your business and its customers may grow accustomed to a false
sense of security.
Data breach notifications are already achievable for most IT teams,
however, more work is required if an entire business is to pitch in and use
this transparency as a competitive advantage. By following the above steps,
you can let customers know what needs defending and why, and earn their
trust and loyalty, proving that honesty is still very much the best policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180425/d70a6401/attachment.html>
More information about the BreachExchange
mailing list