[BreachExchange] The Avoidable Mistakes Executives Continue to Make After a Data Breach

[Audrey McNeil]

https://hbr.org/2017/11/the-avoidable-mistakes-executives-
continue-to-make-after-a-data-breach

The past few years have taught us that companies will be breached and
consumer data will be stolen. Last year was a record year for data
breaches, and 2017, so far, has seen its fair share of high-profile
cyberattacks. Still, top executives continue to stumble in the way they
respond to an attack, magnifying and extending the damage both to their
reputation and their customers.

In analyzing the top breaches over the past few years, it is clear that
executives make a set of common mistakes, which is surprising given that so
many companies, often led by otherwise effective leaders, fail to learn
from the botched responses and mishandled situations of the companies that
were breached before them.

Here are the missteps executives make time and again, and advice for
avoiding these pitfalls:

Foot dragging

The longer companies wait to notify their customers, the greater the chance
criminals will be able to use stolen data. While Equifax got blasted for
taking nearly six weeks to disclose its breach, at least it didn’t wait
until the stolen data was being sold on the dark web to go public with the
news. Target didn’t comment on their breach until nearly a week after it
was reported by security blogger Brian Krebs. More recently, it came to
light that the SEC waited a full year before disclosing information about
its breach.

Executives today must operate under the assumption that they will
experience a cyber incident that will require them to notify their
customers, investors, and regulators. The immediate emotional response may
be to wait until all the details are available and carefully messaged, but
it is negligent to withhold information that could help people keep their
data and finances safe. The best way to assure executives and their
communications teams respond to breaches quickly is to have a well-oiled
incident response plan in place. It appears Whole Foods had a plan in place
as the company reported its most recent breach five days after detection.

A federal breach notification law mandating quicker response times would
also better serve citizens who are now at the mercy of a patchwork of state
laws that have limits ranging from 15 days to 90 days, if they have limits
at all. By contrast, an EU law taking effect next year as part of the
incoming GDPR (General Data Protection Regulation) gives companies 72 hours.

Poor customer service

In 2016, Yahoo CEO Marissa Mayer failed to take a basic step that could
have quickly protected customers whose accounts were exposed in a breach
that occurred two years prior: automatically reset all user passwords. This
would have immediately blocked criminals from getting into those accounts,
but Mayer reportedly declined to do it because it would have forced all
users to create new passwords, and she was worried that they would be
annoyed and drop Yahoo.

After its breach, Equifax originally offered customers free credit
reporting for one year if they waived their rights to sue. In addition,
Equifax tried to profit from its mistake by charging people who wanted to
freeze their reports as an added layer of protection. The company soon
dropped this condition, extended free credit reporting for life and waived
the credit freeze fees, but by that time, the reputational damage had been
done.

The top priority for Yahoo should have been to do whatever it could to
immediately protect customers. Equifax should have offered free,
condition-free monitoring to help consumers stay safe. Top corporate
officers need to make sure their gestures of goodwill align with the
severity of the breach, even if they are expensive to implement.

Not being transparent

Being open in the aftermath of a breach is the thing executives are in a
position to control — but more often than not, they evade the truth.
Transparency is a cornerstone to rebuilding trust in the brand.

In spite of its many other breach response blunders, Equifax was fairly
diligent in keeping the public updated on information related to its
breach. In addition to distributing a press release and posting a video to
their site on Sept. 7, Equifax created a dedicated website for
breach-related news that was updated five times in the week following.
However, on multiple occasions, the company’s official Twitter account
directed customers to a fake phishing site. The official site had multiple
technical difficulties, and when it was available, the site required people
to verify their identity with the last six digits of their social security
numbers — providing precisely the kind of personal information that was
hacked in the first place.

Sony handled its PlayStation Network (PSN) breach even worse. After
discovering the network intrusion, Sony shut it down but didn’t say
anything about being breached until two days later. Details about the
incident trickled out haphazardly over the following weeks and advice to
customers was muddled.

By issuing confusing and incorrect information about a breach, executives
prevent customers from taking actions they need to protect themselves. A
lack of transparency also leads customers to believe executives are
withholding information — even if they aren’t.

It’s okay to say “we don’t know at this time.” Being honest and authentic,
and providing clear and frequent updates, will earn trust from customers
who just want to be leveled with.

Failing to accept accountability

A massive breach is not an individual error or a technology failure — it’s
an organizational breakdown that is the responsibility of the top
executive. It might not be a surprise that top executives don’t typically
see it that way. A study from risk management firm Stroz Friedberg found
that just 45% of senior leaders believe they are responsible for protecting
their companies against cyberattacks.

It took 11 days after the Sony breach for any executives to apologize for
the breach and 26 days for Sony Chairman Howard Stringer to do so publicly.
Equifax CEO Richard Smith initially showed humility and accountability in
the immediate aftermath of the company’s breach, saying in a video: “I
deeply regret this incident and I apologize to every affected consumer and
all of our partners.” But after he was forced to resign, Smith blamed an
employee for failing to take basic security measures in his testimony
before a U.S. House committee.

Until more top executives begin to hold themselves accountable for cyber
incidents, and learn from the mistakes that others have made before them,
we will continue to see breaches and poor leadership in the responses to
these attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171122/255687f8/attachment.html>