The rash of high-profile data breaches that have dominated the news in recent months worry a growing number of companies, as they should. Boards are now responding seriously to the issue, as they should be. The criminal activity shows no signs of abating, despite the heightened attention of policymakers and regulators. According to the Symantec’s Internet Security Threat Report 2014 (disclosure: Edelman client), 552 million identities were exposed in data-breach incidents across various sectors in 2013 and the average number of records exposed per breach is up more than 2.6 times from last year.
Despite the ugliness, some valuable learnings also are being gleaned that can help organizations defend themselves against sophisticated cyber-crooks.
Lesson No. 1: Develop a roadmap
Benjamin Franklin’s famous maxim, “An ounce of prevention is worth a pound of cure,” couldn’t be more appropriate in business today. If companies haven’t done the necessary preparation, they burn time the team doesn’t have in the heat of the moment.
To truly get ahead, the leadership teams should focus on getting four simple things out of the way ahead of time:
- Determine your outside counsel, forensics firm, communications counsel and credit monitoring service.
- Create a data security crisis scenario that involves all the functions responsible for legal, regulatory, operations and reputation.
- Put your teams through a crisis simulation so they can work with all of their colleagues and better understand the gaps in the processes and procedures.
- Develop relationships with lawmakers and regulators in the states you do business. Meeting them for the first time after a data security incident is not the best way to make a first impression.
Lesson No. 2: Be lean, yet integrated
Determine who’s on the team – and the team leader with the authority to make decisions – and keep it as small as possible. In most cases, the essential individuals are represented by the heads of IT, security, legal, communications, the business lead and, perhaps, the CEO. The same should be the rule for outside advisors. Doubling up on outside legal counsel and lobbying firms, or bringing in new players midstream, will only hinder the response and distract you from keeping customers as your primary concern.
Lesson No. 3: Be prepared for a fluid situation
Companies need to realize data security incidents always include twists. What they think they know invariably turns out later to be inaccurate and, if communicated, may cause significant legal liability issues. While rumors and misinformation will swirl, companies must understand investigating a data breach and communicating about it properly takes time.
“In major breaches, it can take a month or two of round-the-clock work to answer: How did the attackers get in and when? What did they view? What did they steal? Are they still in there?” explains Eric Friedberg, executive chairman of Stroz Friedberg, a digital forensics firm. If you must communicate something, say what you know, acknowledge what you don’t know and continue to keep people updated.
Lesson No. 4: Speak the same language
Finally, in a security breach, it quickly becomes clear that many of the players don’t know the technical issues or the language of payments and data security. A chasm is immediately created between the IT team and the other parts of the business. That’s why it’s vital for the full response team to know the nomenclature of the IT security and payments worlds. Spending some time with a free online resource such as the SANS Glossary of Security Terms or the Payment Card Industry (PCI) Glossary of Terms, Abbreviations and Acronyms will pay off when disaster strikes.
While taking these steps won’t fix all of the problems, it will significantly lessen the pain once the issue surfaces and allow the company to focus on the problem at hand.
Image by Wikimedia.