Your organization has an incident response plan and a relationship with a consulting firm that can help contain and remediate a major data breach when it happens. And, of course, you have cyber and data breach insurance to cover damages. That’s great.
What if I told you none of this makes much of a difference when the nightmare breach scenario actually happens? Sure, an incident response plan is a great start, but most of those plans focus on the technical and procedural details of responding to an incident and keeping the business running, not the public relations panic that typically occurs after a major breach affecting your customers, brand perception, and security program image.
What if I told you that your data breach insurance won’t cover a cyberattack from China, Russia, or any others on the list of nation state offenders responsible for a large percentage of attacks today? Why? Because such attacks are considered acts of war, which are not covered by most insurance policies. Furthermore, there are even classes of attacks or outcomes, such as ransomware, that have been dropped from coverage.
What if you knew today that a serious breach would most likely lead to a string of public relations disasters, one after another, costing you millions, taking up 20 percent of the average IT staff day for two years—leading to 75-hour work weeks for many—and make it increasingly difficult to attract and retain customers and recruit new talent?
If it sounds exasperating, that’s because it is. But there are measures you can take now to prepare yourself for the two-year firehose that is a serious data breach. Here are a few suggestions from someone who has been there, leading such a response at a large healthcare organization, the victim of one of the largest breaches on record, costing the company nearly one billion dollars.
Get a data recorder
After a plane crash, much of the investigation hinges on the black box that records everything that happened in flight. Imagine investigating a crash without that flight data recorder. That’s where most organizations stand today when they get breached. As a last ditch effort, nearly all pay a consulting firm to come in and comb through their organization’s logs, emails, and servers—sometimes with nothing more than a spreadsheet—to determine everything that was accessed and build a breach timeline. While these teams are highly trained and very valuable, using them misses the point. Hiring and using external resources takes a lot of precious time and money, not to mention the airing of a lot of dirty laundry. But more important, it deprives the internal team of the opportunity to attack the problem and learn from it in order to prevent and respond to future attacks more effectively.
You can have that data recorder now and build that timeline capability immediately–and you must. The sooner the better. Create an internal practice now that has the tools and capabilities to build an attack timeline fast. There are lots of good tools out there that do this. In my opinion, auditors should ask every organization if they have this capability, as opposed to the other and often more nonsensical requests that come in from them.
Consider the cloud
While you’re at it, consider the visibility provided by the cloud services your organization uses. You have significantly less visibility into cloud logs, memory samples, and user activity, compared to your internal systems.
Collecting information and responding to a breach in the cloud is vastly different from the way you’ve been doing it on premises for the past 20 years. You will not be installing agents and network taps in the cloud. Examine your contracts and cloud management utilities to see what information you will be able to see and not see, what is centralized and what is not when an incident occurs, and how you can improve on what is available now. Doing so will ensure that recovery is quick and complete.
Write your breach notification letter NOW!
When a breach extracts sensitive customer information, you must notify the customers. There are few things more treacherous from a PR point of view than creating a breach notification letter. Know your regulatory requirements, which are different for private and publicly-traded companies, for financial firms and healthcare firms. Know what you must disclose—such as an accurate breach description, types of protected data compromised, mitigation efforts, and steps the recipient needs to take. Know what you want to disclose, and what you shouldn’t disclose because it would give too much useful information to your adversaries.
And do yourself a favor, write it in house, in collaboration with your communications and legal teams. Don’t give the letter to a consulting or PR firm to write. You’ll regret it. You need to do the heavy lifting on this one. And do it now.
Determine whose name will be on the letter. Will it be the CISO? CIO? CEO? For most companies it should be the CEO who is accountable. If the company puts that responsibility on another individual, make sure it’s for a great reason. The companies I’ve seen get this right, 9.9 times out of 10, have a CEO signature.
Who needs to get this letter, how many need to get it, and how will you get it to them? Do you know how to reach all thousands or millions of your customers? Do you have everyone’s home or business address? You need to figure out those logistics now. Don’t depend on your web site or email if your network is compromised. How will you prepare your call centers for the inevitable deluge?
Who are your most important customers? Decide that now. Chances are you’ll inform them directly over the phone. How will your sales teams cope with all those phone calls? Who will staff the bridge calls? What will you say? Is there a limit to how many guests you can have on your calls?
You don’t want to say you’ll do one thing and then end up doing another. You don’t want to waste 90 days and then rush a half-baked letter out at the last minute. That’s why you need to plan it now. You’d be surprised how many companies botch this process completely and pay dearly for it with serious brand damage.
Which law enforcement?
Every good breach notification letter mentions that outside law enforcement has been contacted. Understand that having a relationship with the right law enforcement officials before a problem occurs is the best way to get the help you need fast. Figure out now how you will notify law enforcement, which contacts and agencies you will work with, who will notify them, and who will work with them directly.
Breaches are a PR nightmare and often the people speaking to the media or replying with comments on social media don’t know much about IT security. You don’t want them making embarrassing mistakes or saying things that endanger the investigation or reveal information you don’t want revealed.
It’s time now to put together a list of red and green phrases—red should be avoided, green are preferred. You don’t want spokespeople revealing too much or an incorrect detail about how the breach occurred and why you were caught flat footed. You do want them telling the truth and protecting the mission and identity of the company but in a way that doesn’t reflect poorly on it.
I could go on, but these are the most important things that overwhelm companies and cause very expensive brand damage. These are the real costs and impacts of a data breach. When the time comes, you’ll want to know already how to handle these things and have it part of your muscle memory. You don’t want to be scrambling to figure out all this stuff then, when the firehose is drowning you and your team can’t think straight.