BreachExchange mailing list archives
9 rules to follow after you've suffered a data breach
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 13 Jun 2014 14:25:03 -0600
http://www.infoworld.com/t/security/9-rules-follow-after-youve-suffered-data-breach-244273 Upmarket Chinese restaurant chain PF Chang's became the latest prominent company to have its name linked with a data breach and stolen customer information. According to a report by KrebsOnSecurity, information from "thousands of newly stolen credit and debit cards" linked to the restaurant were discovered for sale on the black-market website rescator.so this week. There was a time when incidents like this, involving the theft of data from a prominent firm, were capable of shocking the public and sending corporate managers and public relations departments into a tizzy. No longer -- last year saw the largest ever number of data breaches, with 2,164 incidents that exposed 822 million records, according to a report by the firm Risk Based Security. Breaches and data theft have become the new normal, to the point where a data breach etiquette has developed -- a set of best practices that set the pros apart from the flailers. Any company that wants to avoid making the situation worse should observe these nine rules. Data breach rule No. 1: Disclose sooner rather than later The biggest mistake that organizations make is to sit on evidence of a security incident, only to have word of spread by way of a third party. Auction giant eBay recently found itself in hot waterwith the press, the public, and state Attorneys General when it was revealed that the company knew about a security incident in which employee accounts were compromised for months prior to going public. In contrast, music streaming service Spotify won praise for making a public announcement after it found evidence that a single user account had been compromised via a mobile application. The moral: If you have good reason to believe that a security incident has occurred in which data was lost, disclose it as soon as you can. You can always update customers, regulators, and the public as new information becomes available. Data breach rule No. 2: Tell the whole truth It's natural for companies who suffer an incident to practice damage control. Unfortunately, some companies take this to mean playing fast and loose with the facts. That's a bad idea for several reasons. For one thing, the facts often speak for themselves: Incidents like the breach at Target Brands, which first came to light in December, are often driven by the discovery of stolen data online or by ongoing investigations by credit card issuers and banks. Companies that try to downplay news of a cyber incident soon find themselves being undercut by leaks and revelations from outside sources. In other words, say what you know (and what you don't know) and take your lumps. Data breach rule No. 3: Get your crypto straight Were those stolen passwords encrypted or hashed -- or neither? In the heat of a security incident, the specifics of the technology your company used to secure its data may seem like a small and irrelevant detail, but it's not. The software giant Adobe Systems was roundly criticized when it was discovered that passwords for 2.9 million customer accounts were encrypted, rather than hashed and salted in accordance with industry best practice. The difference may seem trivial, but Adobe's use of Triple DES encryption to protect the passwords made it more likely that the actual values could be retrieved by thieves. Data breach rule No. 4: Communicate across channels If you've been hacked, you have many audiences to address and many ways to reach them. Your organization needs a consistent and coherent message to convey, and it needs to communicate it across all available channels: email, blog posts, press releases, Twitter, Facebook and other social media. eBay found itself in a harsh spotlight after its recent breach for issuing a press release to the media about the incident, but failing to make any mention of it on the eBay.com website and taking days to issue email notifications to customers advising them to change their account password. Data breach rule No. 5: Customers come first, Wall Street second While your CEO and other executives may be keen to reassure Wall Street and investors, remember that your first duty is to your customers. Companies that seem overly concerned about the impact of an incident on their stock price risk alienating customers who want reassurance that their data is being protected and, in the event of fraud, that they will be made whole. Offering to pay for credit monitoring services for those affected by the breach is a good start, but it shouldn't be the end. Data breach rule No. 6: Kiss Pollyanna good-bye If your company has suffered a hack, the message you send to customers, the media, and investors should be sober and communicate abundant caution. Be frank when talking about what data was taken, what those who took it might intend to use if for, and how those affected should protect themselves from abuse. Pollyanna-ish reassurances about not having "any evidence that the stolen information was misused" are commonplace, but they reassure no one and imply a "see no evil" attitude. After all, not seeing someone driving around in your stolen car doesn't make it any less stolen! Data breach rule No. 7: Don't spare the gory details With data breaches, the devil is in the details. When did the breach occur? How long did it last? How many systems were affected and what kind of systems? What steps have been taken in response? Consider the post by secure password service LastPass back in May 2011. After discovering anomalous activity in log files for a "non-critical" machine, the company assumed the worst and posted a blog entry containing a blow-by-blow account of what happened. Subsequent updates provided a frank discussion of "tactical errors" the company made in its response and its outreach to customers. Data breach rule No. 8: Look ahead, not behind Data breaches and other security incidents prompt changes within your organization, as well as in your relationship with your customers. Don't be shy about telling your customers what steps you will take in the future to make sure another, similar incident doesn't happen again. Data breach rule No. 9: Move some furniture If nothing else, data breaches and security incidents prove that whatever security measures you were taking didn't work. With that in mind, don't be shy about moving furniture around (or dragging some out to the curb) and letting your customers know that you're doing it. Lastpass outlined a number of changes it was making after its security incident, from better instructions on logging on and off the service to the implementation of location-specific security features to the acquisition of additional server capacity.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- 9 rules to follow after you've suffered a data breach Audrey McNeil (Jun 23)