It's not the breach that kills you, it's the cover-up
Rajat Bhargava, CEO, JumpCloud Inc.
It continues to amaze me - and the rest of the world - that time after time, companies continue to miss the boat when it comes to handling a data breach. For the record: it's how you handle yourself during and after a breach that will determine just how detrimental the breach actually is for your organization. Perhaps I am delving a bit into the communications and public relations field here, but with major data breaches continuing to permeate the headlines on a regular basis, perhaps crisis management is something worth further discussions with a more technical audience.
Today, we are witnessing this with the Target breach and the Neiman Marcus compromise, and we've seen it with countless other breaches in recent years, including government leaks. For many organizations, the knee jerk reaction has been to deny or delay. I can't tell you how often I hear – “Perhaps the situation will go away in a news cycle or two,” or, “By giving credence to it, won't it just become a bigger story.” Perhaps it is the lawyers advising this strategy because of criminal and civil culpability, but in most cases this approach only serves to worsen the situation.
In addition to the above breaches, we see these missteps countless times with many organizations. Even in the last few months we have seen MongoHQ, White Lodging Services, Michaels and others go under the data breach microscope. While a bit dramatic, the media's new analogy – politicians are to adultery as corporations are to security breaches – is basically on the mark in that in both cases, it's more important than ever to develop a crisis response plan.
So, how do you do it and what should a data breach response plan include? It must incorporate, and be enacted at, all levels, from the system administrator to the chief executive officer, as comment from either has the power to quell or inflame the situation. From the moment a transgression, breach or otherwise occurs, there is a narrative being written – the question is who controls the story and how do you and your organization look in the end.
When it comes to the IT world, compromises happen - they just do. The very best security pro, armed with the very best technology, still cannot account for a rogue employee, or state-sponsored activities, or the NSA creating a weak cryptography algorithm and seeding it in the marketplace, or…you get the idea. While the deck is certainly stacked against IT security pros, there is still an enduring expectation of consumer privacy and security. As an industry, we must continue to focus on best practices and do more with the resources that we have to better secure our infrastructures, data, and confidential information. Our customers deserve our best and rely on us to protect them from a breach, but we must also be prepared to communicate effectively if and when the breach occurs.
Any public relations practitioner worth their salt will outline a four-step methodology for those in crisis response mode. First, admit to the mistake and do it quickly. Second, sincerely apologize for the issue. Third, understand how the issue occurred, state to the public how you're going to fix it, and then do so. Fourth, look forward without minimizing the crisis. The IT world can learn a great deal from this model, but it does need to happen quickly and in an honest way if it is to have the intended result. For those in IT, they need to both speak and act to inform those affected and then patch vulnerable parts of their infrastructure to ensure the incident is isolated and the result minimized.
IT organizations need to have an action plan in place on how to handle a compromise. Having a well-considered plan where clear, concise disclosures are made to the people and organizations affected is an important first and second step. Then, swift action must be taken to determine the root cause and remediate the vulnerability. With detailed knowledge of the compromise, you can now target (no pun intended) those that have been affected with greater information, so that they can take steps on their side to protect themselves. Constant, clear communication with your customers and partners is critical to regaining their confidence and trust. It's a process that takes time, but it needs to start the moment you become aware of a potential compromise.In a world in which hackers can hijack even our most protected and private information, compliance dictates tighter standards than ever and the media operates on a twenty four-hour news cycles, the idea that an organization can cover up a data breach is simply reckless. Understanding that even the best laid security plans can still end in breach at some point, IT departments must be prepared to communicate with their key audiences and secure the point of breach. If approached head on in a proactive manner, it is very likely that an organization can overcome the negative effects of a data breach, repair its image and regain consumer confidence. However an organization that attempts and fails to cover up a breach will likely suffer dire consequences and not be able to recover.