No Company is Immune to a Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.odwyerpr.com/story/public/3768/2014-12-26/no-company-is-immune-data-breach.html

A company’s response to these attacks is critical.  Like any crisis,
there’s no one-size-fits-all approach, and companies must rely on
experienced, trusted advisers to help them weigh a variety of factors and
formulate a tailored communications strategy that’s right for them.

Data breaches can take a multitude of forms. Hacking, malware and physical
attacks are still the most common; incidents of cyber theft can vary, from
hackers stealing customer or employee email addresses and passwords, to
cybercriminals accessing company financials. Unfortunately, attacks can
also originate within an organization and may or may not be intentional, in
cases of privilege abuse or the use of unapproved hardware, which is often
the result of weak internal policies.

While employing the latest in data security technology remains a
cornerstone for mitigating the risks associated with cyber-attacks,
companies today must go above and beyond to protect themselves and their
customers. Cyber criminals continue to outsmart even the most sophisticated
security systems, and companies across all industries must arm themselves
with contingency communications plans that can be put into play quickly in
the event that a cyber-intruder strikes.

With so many variables to consider, it’s imperative that companies retain a
tight circle of trusted, impartial advisers with experience handling the
most complex cyber-crime situations. This circle may include data breach
attorneys, data security consultants and crisis communications
professionals. This team should have a framework in place that will enable
an informed working group to move swiftly to assess the situation, contain
the breach, limit the damage, and determine the most effective way to
communicate with a company’s various stakeholders.

When responding to a breach, a comprehensive communications strategy is of
the utmost importance. If communications are mishandled, those blunders can
potentially be even more disastrous than the breach itself, and can have a
lasting impact on both the public’s perception and the company’s bottom
line.

While timeliness of a response is considered a hallmark of a sound crisis
communications strategy, in a data breach situation the magnitude and
nature of the cyber-attack may not immediately be evident, and a proper
investigation may take some time. Accuracy of the information available and
timeliness of the communications response can be an extremely delicate
balancing act.

Upon learning of a breach, companies should immediately alert the
appropriate authorities, while simultaneously investigating the breach and
commencing the scenario planning process with their circle of advisers.

Key questions that management should ask at this junture include: “How many
people are potentially impacted?” “What type of information is lost?” “Is
there evidence of misuse of information?” “Has the unauthorized access been
contained?” “Was the information lost by our company or by a third party?”

As facts are determined, companies and their advisers should begin to
prepare for various scenarios following the breach.  Anticipating key
questions from all constituencies, including the media and general public,
investors, regulators, and employees, will help drive the drafting of
potential disclosures and communications documents that can later be
finalized when the facts come to light. The scenario planning process
should be fluid, with the key adviser team ready to move forward with a
full communications plan on short order and poised to adjust response
materials or strategies as needed. As part of the initial scenario planning
process, a leak strategy addressing various scenarios should be prepared
immediately, as the media may become aware of a breach and reveal it.

Disclosures and communications materials are dependent on many factors,
including the impacted company and parties, the scope of the incident, the
information stolen, and the industry climate, among numerous others.
Disclosures must be as accurate and specific as possible and legally
permissible; subsequent corrections are often interpreted as signs that a
company is not effectively managing the situation.

A breach could trigger a public filing requirement and may warrant a press
release, depending on the magnitude of the breach and the level of impact.

A company’s corporate website enables organizations to provide updates to
its stakeholders regarding the breach and the investigation in real-time
without issuing multiple press releases.

A social media strategy regarding the incident should be considered.

Work closely with law enforcement officials and apprise them of any
communication plans; legal disclosure requirements vary by state and an
ongoing, active investigation may limit how much the company can share
about the nature of the breach.

A notification letter from the company’s management team can assure
stakeholders that the incident is being taken seriously and the upper
echelons of the company are directly involved in the management of the
breach.

Consider setting up a call center via a third party to handle customer
inquiries and ensure that call center staff are trained to manage
appropriate responses.

When financial information or other critical pieces of personal information
are involved, companies should consider offering impacted customers credit
monitoring services.

In today’s digital world, sophisticated and determined cyber criminals are
capable of attacking a wide range of data systems and computer networks,
and we must increase vigilance in both our professional and personal lives.
Cyber-intrusions may have become commonplace, but it is the management of
stakeholder communications in the aftermath of these insidious attacks that
will shape a company’s reputation for the long term.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!