[BreachExchange] Breach Etiquette: How to Mind Your Manners When It Matters

[Destry Winant]

https://www.darkreading.com/edge/theedge/breach-etiquette-how-to-mind-your-manners-when-it-matters/b/d-id/1340182?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Few things elicit greater fear than the moment an organization
realizes it has been breached. Picture executives descending into
sheer panic and security teams scrambling madly as they assess the
situation and attempt to limit the damage. And it's little wonder why:
A breach can prove costly — often to the tune of tens of millions of
dollars — destroy a brand's reputation (if not the brand itself), and
lead to huge regulatory penalties.

When a breach occurs, how teams act and react has everything to do
with how quickly and smoothly an organization gets back on track.

"It's not a question of whether there's going to be pain and damage.
It's a question of how much," says Alan Silberberg, CEO of Digijacks,
a cybersecurity consulting firm that advises on crisis management.


Make no mistake: Etiquette matters. Although a typical breach scenario
may seem far removed from a "Miss Manners" advice column, there are
important takeaways about how to manage events and issue a meaningful
mea culpa.

"How you react and communicate are critical," says David Burg,
Americas cybersecurity leader at EY.

Here are four etiquette rules for navigating a breach.

Etiquette Rule #1: Understand the Rules of Engagement
While a cyberbreach and eating out may seem worlds apart, consider the
similarities: First, Burg says, you have to know what's being served
up and what response is appropriate. Chowing down at a food cart isn't
the same as going to a 3-star Michelin restaurant.

"There's a completely different set of expectations and standards
about how you dress, how you behave, and how you eat your food," he
says.

In the business world, a financial services firm or healthcare
provider that has strict regulatory reporting requirements must handle
a breach differently than a restaurant or plumbing supply firm. This
doesn't mean, however, that a mom-and-pop shop gets a free pass.

There's also a need to understand the nature of the intrusion.

"It could be malicious but limited in scope, or it could be a massive
breach," Burg says.

He suggests first determining whether the problem is damaging or
simply embarrassing.

"In some cases, it may be PII or a trade secret that has been stolen
in small quantities," Burg points out. "In other cases, you may be
dealing with a massive ransomware attack or destructive malware, such
as a Stuxnet attack."

Etiquette Rule #2: Say What You Know
During the immediate period following a breach, it's vital to move
fast — but not trip over yourself. A common problem, Silberg says, is
delivering inaccurate and ineffective information, which only serves
to increase confusion and sow mistrust.

"It's critical to know the extent of a breach and communicate about it
clearly and accurately. If you don't know, then you say what you know
and provide an update later," he says.

This can be tricky, of course. In some cases, an organization may want
to avoid revealing too much for fear it offers crooks a blueprint for
how to ratchet up attacks in the future. If the event is embarrassing,
it can be tempting to try to sweep it under the rug — particularly if
there are no regulatory requirements.

But this doesn't make the problem go away. For one thing, news may
eventually leak out. For another, "You can create a bigger problem and
increase your risk of legal action, including partner and customer
lawsuits," Silberg explains.

The bottom line is to stay ahead of the messaging, say what you know,
and avoid discussing what isn't clear, he says.

"It's OK to say you're not prepared to make a statement yet; it's
another thing to appear evasive or lie," Silberg says.

Good communication revolves around how, when, and how much, Burg adds.

"You want to be able to wrap your mind around what happened and have a
high degree of confidence that you're communicating accurate
information," he says.

Etiquette Rule #3: Be Ethical and Sincere
As with any issue involving etiquette, there's a need to abide by
ethical obligations and show respect for those adversely affected.
This includes business partners and customers. Sincere apologies are
important. Insincere actions usually dig a deeper hole. For instance,
offering a coupon or tossing out a discount code probably won't
convince anyone that you really care. In fact, it can backfire.

"It may look like you're simply trying to buy loyalty," Silberg warns.

The ability to adhere to both written and unwritten rules is
essential. A solid crisis response plan makes this possible. It
minimizes the risk of turf wars and internal warring that can occur
when the screws tighten and the pressure builds. A good plan
encompasses everything from the role of the board and C-suite to how
to navigate IT issues, cyber insurance, and communications. Ideally,
it involves senior IT specialists, security experts, legal experts,
and communications specialists.

A sound plan outlines roles and responsibilities, but also offers
specific contextual steps to navigate through the breach. In other
words, it clearly articulates ifs and whens. Yet it's also more than a
checklist. An excellent plan builds in flexibility based on a
company's position in an industry, its size, legal, and regulatory
requirements, and the data that was breached. Typically, it's wise to
have the plan vetted by third-party experts.

"If you have to devise a plan on the fly, it's too late," Burg says.

Etiquette Rule #4: Practice Makes Perfect
Think of a breach response as something akin to a wedding.
Participants practice the ceremony over and over until words and
actions become second nature. What's more, others know their roles.
The result is an ability to remain calm and confident if a problem
pops up.

"When you are properly prepared for a breach, you can call an audible,
make adjustments, and deal with whatever happens," Burg explains.

In the end, it's important to recognize that breaches happen, even to
the best protected and most prepared organizations. Just as good
etiquette and table manners can guide you through a business meeting
or dinner party, they can be your friend during a breach.

Says Silberg: "When you do things right and take an ethical approach,
you maximize the odds that you will minimize the damage."