[BreachExchange] Making the most of your (next) data breach

Fri Sep 16 15:07:25 EDT 2016

https://www.cuinsight.com/making-next-data-breach.html

Ian Livingston, former CEO of BT Group, memorably stated: “There are two
types of CEO, those that know their systems are being hacked – and those
that don’t.”

That was three years ago. While CEOs are undoubtedly more aware of the
risks now, how many have employees who still play fast and loose with
customers’ personal data? And how many senior managers have full control
over their employees’ practices?

Although much may have been invested to protect digital estates, many
senior executives are unsure what personal data they retain and where, how
well protected it is, who has access to it and – in an age of collaborative
commerce, lengthening supply chains, and ecosystem delivery – precisely who
is accountable for what.

Some still rely on averages (“It won’t happen on my watch”) and apathy
(“Everybody loses a little once in awhile”) to get them through any choppy
water, should incidents occur and reach the public domain. But if you rely
on crisis communications as your main defense (“We are investigating an
incident we can’t comment on now; meanwhile the launch of x has delivered
stunning figures…”), then there may be trouble ahead.

With increasing transparency, tougher penalties, ongoing press interest,
and the rise of socially-savvy, digitally-literate citizens and consumers,
a casual approach to privacy has to change.

Even the best defenses will succumb to attack sometimes. This is as much
due to simple human error as it is to the asymmetry of security. The
defender needs to protect perfectly on all fronts, while the attacker needs
to find just one crack in the armor.

Breaches are inevitable, and many customers understand that data loss
happens regardless of how well-prepared a business is. How you act during
and after a breach – and how you communicate with your members in the hours
and days after discovery – is vital.

Yes, some members will immediately leave in disgust, no matter what you do.
But the vast majority of customers are more likely to leave because they
feel your organization does not act with integrity.

So how do you reduce the negative impact of any incident and make sure you
“don’t waste a crisis,” should one occur?

Redirect executive angst to infrastructure attention…

If you run the department where the incident arose, you have to expect
executives to focus on your operation and to be prepared to endure the heat
of micro-management for awhile post-breach. This energy should soon be
galvanized to address underlying issues you have probably been aware of for
awhile, but which have been in the “vital but not urgent” budget category.

Know in advance what to ask for once the immediate crisis is over while
decision-makers have intimate awareness of your part of their business. For
example, perhaps now is the time to move to the cloud – but have you
reviewed the pros and cons from each stakeholder’s perspective?

…and fresh opportunity

Investment shouldn’t stop at just fixing. Privacy confidence stems from the
certainty that scrutiny brings.

While there should be due caution about not rushing into another faux pas,
a crisis handled well, and an intimate understanding of what data you hold,
should give you new opportunities to engage anew with members. So long as
they feel charmed and not persecuted by your renewed familiarity with them.

Practice (don’t just document)

Most businesses have well-documented if not oft-rehearsed or
realistically-simulated emergency response plans. Practicing, not just
writing down, your incident response plan builds organizational “muscle
memory.” The best data breach is a staged one. One that reawakens people to
the real world impacts that could occur if we mishandle the personal
information entrusted to us.

Institutionalizing the right habits is essential. Think how many people
have read your fire policy and how many know what to do because the company
has rehearsed a fire drill regularly. Then consider how much more likely a
data breach is than a fire.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160916/98600259/attachment.html>