Organizations need to plan, rehearse and modify their security protection on a continuous basis, to see what they are doing well and how they can do better.
Managing the Message
Due to the ever-increasing velocity of the 24/7 news cycle, it has become virtually impossible for organizations to control the public narrative around an incident. Responding to unwelcome information released on someone else’s terms is a poor strategy, and a defensive posture plays poorly with customers whose personal details have just been compromised.
Preparation is essential. This can be done through inter-departmental scenario planning that tests the organization’s media and customer response strategy. Creating and testing response plans may also attract interest from senior management, particularly if their organization, or a competitor, has suffered an incident where they suffered reputational damage. This is an opportune moment to demonstrate the business benefits of a coherent response plan.
This perspective—that disclosure will be more damaging than the data theft itself—is a guaranteed way to damage customer trust. However, advance planning is often lacking, as are the services of tech-literate public relations departments.
The lesson that we tell our members is to carefully consider how to respond, because your organization can’t control the news once it becomes public. This is particularly true as breaches are happening with greater frequency and as the general public pays greater attention to information security.
In the end, messaging should be about creating transparency, within the organization and with the public. The organization should be seen communicating in an ethical and trustworthy manner. This is not a time for using communication as either a PR opportunity or attempting to pull the wool over people’s eyes, nor is it time to pull down a veil of silence. Organizations need to communicate effectively throughout the incident (and afterwards) in an honest and transparent manner about the breach, the impact, what you are doing to address the impact and be clear about what the customer base should be doing.
Data breaches have become a regular feature of modern life, and one that will have affected most of us by now. This will continue as long as efficiency and ease of data access trump security—a state of affairs that makes economic sense for many organizations, at least until they suffer their own data breach. Once a breach happens, the value of security as a business enabler becomes clearer.
The real difficulty lies in acknowledging that breaches are inevitable, and that resources invested in advance can pay dividends when a crisis occurs. It takes maturity for an organization to recognize that it cannot control the narrative after a breach becomes public, and that leadership involves being honest and transparent with customers to maintain credibility in difficult circumstances.
A robust data breach response begins before things go wrong. It includes developing a plan, regular scenario planning, taking decisive action and managing the message. These actions will involve a wide range of internal stakeholders, and also may require the services of external crisis management and media experts. Once a breach happens, swift decision making requires accurate data.
For the individuals who have ultimate responsibility for dealing with data breaches (the chief information security officer (CISO), CIO or equivalent role), the primary challenge lies in setting expectations and establishing credibility. This comes through consistent and clear-headed action, in both the easy and difficult moments.
In a world where data breaches are becoming all too common, organizations that produce an imaginative and credible response will certainly have an advantage over those that are slow and confused, and this will translate to tangible business value. With the speed and intricacy of the threat landscape changing on a daily basis, far too often we’re seeing businesses being left behind, sometimes in the wake of both reputational and financial damage.
Organizations need to take stock now in order to ensure that they are fully prepared and engaged to deal with these ever-emerging security challenges—before it’s too late.
Steve Durbin is the managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was a senior vice president at Gartner.