9 rules to follow after you've suffered a data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infoworld.com/t/security/9-rules-follow-after-youve-suffered-data-breach-244273

Upmarket Chinese restaurant chain PF Chang's became the latest prominent
company to have its name linked with a data breach and stolen customer
information. According to a report by KrebsOnSecurity, information from
"thousands of newly stolen credit and debit cards" linked to the restaurant
were discovered for sale on the black-market website rescator.so this week.

There was a time when incidents like this, involving the theft of data from
a prominent firm, were capable of shocking the public and sending corporate
managers and public relations departments into a tizzy. No longer -- last
year saw the largest ever number of data breaches, with 2,164 incidents
that exposed 822 million records, according to a report by the firm Risk
Based Security.

Breaches and data theft have become the new normal, to the point where a
data breach etiquette has developed -- a set of best practices that set the
pros apart from the flailers. Any company that wants to avoid making the
situation worse should observe these nine rules.

Data breach rule No. 1: Disclose sooner rather than later
The biggest mistake that organizations make is to sit on evidence of a
security incident, only to have word of spread by way of a third party.
Auction giant eBay recently found itself in hot waterwith the press, the
public, and state Attorneys General when it was revealed that the company
knew about a security incident in which employee accounts were compromised
for months prior to going public. In contrast, music streaming service
Spotify won praise for making a public announcement after it found evidence
that a single user account had been compromised via a mobile application.
The moral: If you have good reason to believe that a security incident has
occurred in which data was lost, disclose it as soon as you can. You can
always update customers, regulators, and the public as new information
becomes available.

Data breach rule No. 2: Tell the whole truth
It's natural for companies who suffer an incident to practice damage
control. Unfortunately, some companies take this to mean playing fast and
loose with the facts. That's a bad idea for several reasons. For one thing,
the facts often speak for themselves: Incidents like the breach at Target
Brands, which first came to light in December, are often driven by the
discovery of stolen data online or by ongoing investigations by credit card
issuers and banks. Companies that try to downplay news of a cyber incident
soon find themselves being undercut by leaks and revelations from outside
sources. In other words, say what you know (and what you don't know) and
take your lumps.

Data breach rule No. 3: Get your crypto straight
Were those stolen passwords encrypted or hashed -- or neither? In the heat
of a security incident, the specifics of the technology your company used
to secure its data may seem like a small and irrelevant detail, but it's
not. The software giant Adobe Systems was roundly criticized when it was
discovered that passwords for 2.9 million customer accounts were encrypted,
rather than hashed and salted in accordance with industry best practice.
The difference may seem trivial, but Adobe's use of Triple DES encryption
to protect the passwords made it more likely that the actual values could
be retrieved by thieves.

Data breach rule No. 4: Communicate across channels
If you've been hacked, you have many audiences to address and many ways to
reach them. Your organization needs a consistent and coherent message to
convey, and it needs to communicate it across all available channels:
email, blog posts, press releases, Twitter, Facebook and other social
media. eBay found itself in a harsh spotlight after its recent breach for
issuing a press release to the media about the incident, but failing to
make any mention of it on the eBay.com website and taking days to issue
email notifications to customers advising them to change their account
password.

Data breach rule No. 5: Customers come first, Wall Street second
While your CEO and other executives may be keen to reassure Wall Street and
investors, remember that your first duty is to your customers. Companies
that seem overly concerned about the impact of an incident on their stock
price risk alienating customers who want reassurance that their data is
being protected and, in the event of fraud, that they will be made whole.
Offering to pay for credit monitoring services for those affected by the
breach is a good start, but it shouldn't be the end.

Data breach rule No. 6: Kiss Pollyanna good-bye
If your company has suffered a hack, the message you send to customers, the
media, and investors should be sober and communicate abundant caution. Be
frank when talking about what data was taken, what those who took it might
intend to use if for, and how those affected should protect themselves from
abuse. Pollyanna-ish reassurances about not having "any evidence that the
stolen information was misused" are commonplace, but they reassure no one
and imply a "see no evil" attitude. After all, not seeing someone driving
around in your stolen car doesn't make it any less stolen!

Data breach rule No. 7: Don't spare the gory details
With data breaches, the devil is in the details. When did the breach occur?
How long did it last? How many systems were affected and what kind of
systems? What steps have been taken in response? Consider the post by
secure password service LastPass back in May 2011. After discovering
anomalous activity in log files for a "non-critical" machine, the company
assumed the worst and posted a blog entry containing a blow-by-blow account
of what happened. Subsequent updates provided a frank discussion of
"tactical errors" the company made in its response and its outreach to
customers.

Data breach rule No. 8: Look ahead, not behind
Data breaches and other security incidents prompt changes within your
organization, as well as in your relationship with your customers. Don't be
shy about telling your customers what steps you will take in the future to
make sure another, similar incident doesn't happen again.

Data breach rule No. 9: Move some furniture
If nothing else, data breaches and security incidents prove that whatever
security measures you were taking didn't work. With that in mind, don't be
shy about moving furniture around (or dragging some out to the curb) and
letting your customers know that you're doing it. Lastpass outlined a
number of changes it was making after its security incident, from better
instructions on logging on and off the service to the implementation of
location-specific security features to the acquisition of additional server
capacity.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!