[BreachExchange] Data Breach? Don’t Panic—Just Remember These 4 Tips

Destry Winant destry at riskbasedsecurity.com
Tue Jul 31 21:41:49 EDT 2018


https://hackercombat.com/data-breach-dont-panic-just-remember-these-4-tips/

In show business, even bad publicity is still publicity, so
celebrities could generally care less about it. After all, visibility
is the lifeblood of an actor or singer or sports player, all of whom
want nothing more than to stay in the spotlight. However, this is not
the goal of for-profit businesses who view publicity as an indicator
of their positive traits. This preference for good news is the reason
why companies are normally secretive, often hiring corporate
communication experts to relay difficult message to the public, their
stockholders, and even the government. They spend major cash on
legislative lobbyists to protect their business interests in a long
run and keep their reputation clean. But as well know, all they need
is one good data breach to send all these efforts to hell in a
handbasket.

Endless companies have already experienced the pains of a security
breach, including data leaks and lost digital assets. Sure, they try
their best to perform damage control before having to admit any
vulnerabilities; however, the public tends to find out regardless of
their efforts. All cyber issues aside, for-profit companies have two
main objectives: expand business and keep profits rolling in. Any
other company goals are just gravy. But the European Union’s GDPR
requirements have changed all of that, essentially redefining the
responsibilities of businesses to their customers.  With this in mind,
how should companies experiencing a data breach now react to news that
their computing infrastructure was infiltrated by an unauthorized
party?

Here are some thoughts:

Announce it within the first 72 hours after the discovery!

Transparency is important, no matter how awkward and uncomfortable it
may be at times. It is the source of customer trust. Even companies
with the very best products and services on the market will find
themselves alone in the cold if they lose consumer trust. The first
72-hours after a breach is the perfect time to pin down the primary
details of the crime and inform stakeholders, along with the public,
that the company has been compromised. After all, it is now the law.
GDPR makes it quite clear that this amount of time is the cut off for
notification, as anything later will incur a massive fine from the EU
for policy violation.



Focus on the details and the details and the details!

Stakeholders should never be left in the dark after a data breach.
Just notifying them while still withholding vital information for
decision-making is cutting-off potential future profitable
transactions with the customers, suppliers, and partners.
Notifications about a data breach should be clear, concise, and
readily understandable by those not associated with the tech world.
Not all stakeholders will have the same degree of tech knowledge,
which means the message must be easy to understand and interpret. The
worst kind of press release or announcement is one overrun with
industry jargon, all of which can be easily misinterpreted and
misquoted.

Practice customer care!

Just as the GDPR has mandated, the front, back, and center of any
for-profit business must be the customer. As the bread and butter of
an enterprise, customer data should be protected, secured, and stored
in a private way. If a data breach occurs, a custom message to the
customer should be immediately sent out outlining the steps being
taken to rectify the problem. This effort creates an atmosphere of
transparency and lets the consumer know the responsible entity is
assuming the right position. While it’s true many breaches are not the
fault of the company, they must still take responsibility for the
vulnerability which likely caused it. Without an effective and
efficient outgoing message, all fingers will point to the company
instead of the attackers.

Rebuild reputation and compensate victims ASAP!

Don’t wait for a government law enforcement agency to force you into
paying damages to victims—instead, be proactive. Assess the cost of
the damage and pay compensation to the victims without hesitation. If
this is done in a timely manner, it is still possible for the company
to continue its operations with little interruption. But if it’s not,
customer trust will begin to wane and suspicion about the details of
the data breach will lead to ruin.


More information about the BreachExchange mailing list