As IT consultants, the responsibility we hold in guiding our clients to help them build an effective digital strategy is crucially critical in the field of cybersecurity. After all, if a firm’s emails or networks aren’t secure, it can impact every aspect of that company’s operation.
But no matter how solid our clients’ cybersecurity strategies are, they will get hit by an incident or a breach at some point.
Today, data breaches are inevitable. Security perimeters can and will be breached. Just ask Facebook. Or Uber. Or Equifax.
In fact, in Thales’ 2019 Global Data Threat Report, it was found that 60% of businesses had experienced a (known) data breach, with 30% experiencing one in the past year.
In such a situation, our responsibility towards keeping our clients cyber resilient extends to enabling them to get back on their feet after a cyber incident has occurred.
Here are a few tips to share with your clients when preparing them to deal with an aftermath of a data breach:
Step 1: A fast and quality response
Not only does a fast, quality public acknowledgement of the breach look good in terms of company transparency, it is also mandated under various new data breach laws. The GDPR personal data breach regulations stipulate that you must disclose a breach of this nature to the relevant authorities within 72 hours - so you may as well craft your public response at this time, too. And closer to home, the Australian Government’s Notifiable Data Breach (NDB) Scheme mandates that local companies that trade in personal information or collect customer data will be required to notify individuals if their personal information is compromised.
There’s a clear logic behind acting fast too - the longer the companies wait to inform customers about the data breach, the greater the chance criminals will be able to use that stolen data. Target, unfortunately, didn’t comment on their breach until nearly a week after it was reported by security blogger Brian Krebs - bringing further reputational damage.
In your public announcement, which should be shared via every medium you use for business (mailing lists, website, social media, press releases), you should outline the breach succinctly, the data involved, the scale of the breach, and an action statement: vouching to take every measure of damage control possible.
Basically, you want the public to know that you won’t sleep until this is sorted out.
Step 2: Provide as much information as possible
One of the worst things you can do is not disclose the full information available to you at this time. Customers, and/or the tech-savvy general public, will dig into your statement to try to learn as much as possible about what has happened.
If you don’t disclose (close to) the full story, this can lead to scare-mongering and speculation about what exactly has happened as well as how it has happened.
People talk. And you want to be in control of the story.
Collaborate with your CISO (or cyber security leads) and your PR department to craft a response that gives the full story, without holes for the public to poke through. Have a read of Breaking Through The Culture Of Denial: Why Business Leaders Need To Share Their Experiences for some more tips.
Make sure to outline what the ongoing risks are for customers during this time, as well as if you have shut down systems or functions.
Being honest and transparent and saying “we don’t know right now” is definitely better than hiding the data breach altogether while you’re trying to figure out details. Instead, provide clear and frequent updates, so your customers know you’re working round the clock and doing all you can to rectify the situation. This will help earn their trust.
Step 3: Ensure the response is part of a cross-functional incident response plan
Your response cannot just be a reactive countermeasure to the breach. It needs to come as a part of a full plan to tackle the breach.
Your plan should typically cover all aspects of a typical risk management framework and be tested regularly. This includes taking into consideration legal and compliance requirements (such as GDPR).
It’s also good to cultivate relationships with relevant supply chain, government and other third-party organisations that can help you provide and/or disseminate more information after a data breach has occured.
If you don’t have a cross-functional data breach response plan in place, then you might have to supplement your cybersecurity team with a dedicated response team while this is underway. Yes, there are professional services companies out there that can help out during this critical time - it’s better to spend the money if you aren’t as prepared as you should be.
An (almost obvious) part of your response plan should be to beef up your cybersecurity practices to prevent a repeat. Find out what caused the breach and take steps to fix the problem. For example, if the breach occurred due to a vulnerability in your email security system, consider adding an additional layer of protection from a specialist email security solution. Bolster current practices and solutions with even stronger ones to eliminate all risks – which means essentially, take a multi-layered approach to cybersecurity.
Step 4: Read and respond to sentiments following the breach
After the initial shock of the breach has passed, it’s important to follow up with ongoing information to the public, and then reading the public sentiment in the aftermath, including customer churn, that is losing customers due to their concerns about the company.
How you respond to the public’s response is just as important as your initial statements. If the public have a poor view of your company, then it’s time to rebuild your reputation, which might take some serious work on the side of your PR and marketing teams.
If you’ve experienced a high churn, then you might find yourself needing to ramp up the sales department - with a positive spin and lower deals - to try and mitigate your losses. Try not to be like Equifax though. It was reported that after it suffered a data breach the company originally offered customers free credit reporting for one year if they waived their rights to sue. To make things worse, Equifax tried to profit from its mistake by charging people who wanted to freeze their reports as an added layer of protection. Even after the company dropped this condition, extended free credit reporting for life and waived the credit freeze fees, it kept receiving flak for the way it responded to the cyberattack.
What other tips would you give to clients to prepare them for handling a data breach? Write to us below
... ... ...
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993