Although they’re becoming increasingly more frequent, every data breach is unique. For example, the target company is different, the compromised data and potential scope of breach are different, and the threat actors are different. Therefore, each response to a data breach requires a unique, precise, coordinated, professional effort from multiple stakeholders to be successful.
Although each situation is different and requires a different response, there are several things to avoid when responding to a data breach. Here are a few “universal truths” about the worst ways to handle a data breach.
Don’t Immediately Write-Off Security Companies, But Don’t Immediately Read Them On Either
Companies that are the victim of a breach may find various cybersecurity companies or researchers contacting them. While these companies aren’t necessarily involved in the breach itself (more on that later), it’s still difficult to know their reputation or their motivation. On the other hand, they may be professionals that can help you with your response and will provide you with valuable intelligence received in the course of their research.
In the event of a breach, it’s wise to respond to potential offers of assistance, but make sure to not provide them with too much information upfront or access to data that could be shared. This provides a number of benefits; it gives the security team time to find out more about the company offering help and motivates the individual or company to deal with you in the future. In addition, several great professional relationships have been born in this way, and it would be a shame to miss out on a mutually beneficial relationship by ignoring an email. Unfortunately, this process may not be so straightforward, especially if the company is publicly traded. The risk of being breached may cause significant consequences and will require proper notification of the SEC and any shareholders involved.
However, before exchanging any information about a possible breach, it’s best to seek legal counsel and advice from PR. The potential for unethical or illegal responses to data breaches is high, so the company should rigorously screen any responses or actions. There’s also the potential to be contacted by so-called “snake-oil salesmen” or individuals who are primarily motivated by their desire to take advantage of a company in dire straits. Establish contact and build a paper trail, always be cautious, and listen to what the third party has to say.
In some cases, the party reaching out to you may simply want to get credit as an independent researcher or organization voluntarily providing threat intelligence information they became aware of, but in some cases it may lead to an unethical business behavior – especially if the company is preparing for IPO or other business-related changes.
Exclude conflict of interest with your existing cybersecurity vendors. Those who will be unhappy to know that a breach occurred will organize an unbiased approach to risk assessment of the information – specifically if the breach came from an internal source. At the end of the day, it is your business and you need it to be protected.
MORE FOR YOU
Don’t Keep It “Private”
Bad news doesn’t get better with age, and that old adage holds true in the event of a data breach. Even if it seems like it’s possible to keep a breach secret, it affects customers, employees, or vendors to such an extent that keeping it a secret is highly unethical. There have been examples of Chief Information Security Officers (CISOs) who’ve paid hush money to keep data breaches private because they thought the breach was their fault, but this information always comes out in the end, or those who tried to simply hide it from the public. Both scenarios are completely wrong and put not only your company at a huge risk, but also your customers and counterparts. They need to be aware that their data may be exposed or compromised and you need to plan proper risk mitigation to minimize potential damage from it.
Don’t Stand for Extortion Attempts
Many threat actors are motivated by money, particularly in the case of ransomware attacks. These cyber attackers may immediately reach out to your company anonymously to inform you of a breach or critical vulnerability. Don’t engage with these anonymous tips. Instead, contact law enforcement and legal counsel. If the situation allows, inform your cyber threat intelligence vendor to check any known data about the actor – their network of relationships may help you with proper assessment of the potential risk involved.
That being said, some larger companies may have the resources at their disposal to engage with these threat actors without “spooking” them, which may assist law enforcement in apprehending these criminals and keeping the breach from being too damaging as the timing is critical and you need to react fast. Again, though, it’s best to execute these operations in cooperation with law enforcement to avoid potential ethical or legal issues.
Less is More. Don’t Provide Too Much Information.
There are many reasons you should avoid providing too much information when disclosing a breach. First, it’s likely an ongoing issue, and providing too much information could interfere with law enforcement or further provoke retaliation from cybercriminals. Second, some crisis management firms may advise a counter-attack or to release information that specific public allegations aren’t true. These may seem like good short-term plays, but in the long-term these tactics rarely work and may backfire on you when you least expect it.
Too much information, or incorrect information being released early on, could also affect any sort of cybersecurity insurance your company may carry. For example, specific policies may only cover breaches from nation-states, but breaches from individual actors or organized cybercrime may not be covered. To avoid this issue, companies may try to tie a breach to a nation-state loosely, but this is also misguided. Instead, in the event of a breach, it’s usually better to provide as little information as possible and make sure that any released information is rigorously screened and accurate. Once the breach is fully investigated, and there is meaningful information to share with the cybersecurity community, it’s important to do so as it will also show your company to have a high level of social responsibility. Other cybersecurity professionals will want to know what attack vector was used, what tools, tactics, and procedures have been used, and if possible the indicators of the compromise. Such information may help to prevent further breaches and also facilitate the identification of the threat actor.
A data breach is a chaotic time, and, understandably, victims often make mistakes in responding. However, this can be avoided by having a crisis response plan before a breach and practicing it regularly. Companies should disclose a breach to avoid legal and ethical issues but keep information about it limited and carefully checked for veracity through reliable independent parties. Don’t make these common mistakes in responding to a data breach. It’s a serious issue and needs to be handled carefully.
