As if a data breach isn’t problem enough, mishandling of a security incident makes an already bad situation worse. Just ask Equifax whose executives were charged with insider trading by U.S. officials after the company’s 2018 data breach or Marriott who is now facing multiple class-action lawsuits for, in part, failing to provide an adequate, timely notification.

If you’re facing a data breach at your organization, here are three things you most certainly should NOT do in response.

  1. Panic

Because data breaches are so common, IT security teams are best served when they evolve their assumption of risk to an assumption of compromise. Following that line of thinking, it’s appropriate, and prudent, to plan your breach response. Being prepared keeps you from launching into a state of panic at the discovery that hackers have made off with your data and, as a result, react by going with your gut. Instead, follow a series of pre-planned, organizationally-agreed upon recovery steps.

Ensure your recovery plan has a focal point – what do you need to do to restore systems, data, applications and access? Identify and train appropriate team members and practice data breach response and recovery so when the time comes, you’re ready. There’s no need to panic.

  1. Hide

As much as you may want to conceal news of a breach and hope that it goes away, don’t. Late last year, Uber was ordered to pay $148 million after the company failed, for a year, to notify 600,000 drivers and 57 million riders their personal information had been stolen by hackers. Instead of reporting the breach, Uber chose to pay hackers a $100,000 ransom for the stolen information to be destroyed. After a significant corporate shake up that included a new CEO, the company is now faced with an uphill battle to demonstrate transparency and rebuild trust.

Others may choose to sit on breach news ‘until they know more.’ This isn’t wise either. When personal information has been stolen, impacted individuals need to know as soon as possible so that they may take the necessary precautions to protect themselves. For companies doing business with EU citizens, GDPR requires breach notification to occur within the first 72 hours of discovery. Failure to comply comes with very big price tags.

  1. Misinform

Communicating what you know, when you know it is critical to swift data breach recovery. Once a breach has been discovered, assemble your communications team – which most often consists of senior members in public relations, human resources, consumer advocacy, and your legal team.

There are three principles of good communication that can help guide your process: is it true? Is it helpful? Is it necessary? Concise, cold-hard facts are what’s needed in this situation, delivered in straight forward language. Ambiguity is enemy number one.

We’ve covered off on three important things NOT to do after a breach. One important step you SHOULD take however is to lean on the NIST Cybersecurity Framework (NIST CSF). Using five pillars, NIST CSF has outlined a series of best practices to guide you through preparing for, protecting against, responding to and recovering from a data breach. The first four pillars, identify, protect and detect have been written about in earlier posts.

For more information on how NIST CSF can help your organization, we created a series of short videos on the framework and other essential cybersecurity tips. For more on how NIST CSF can help you Recover from a breach, watch this short video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Cybersecurity Insights

 

Video Transcript

Hey everyone and welcome to 2019! Josh here from Absolute. Today, we’re going to be wrapping up our discussion of the NIST Cybersecurity Framework by looking at the final pillar: Recover

For decades IT security teams began each morning with the assumption of risk. After all, we live in a world that has plenty of danger. Now, we start to see that assumption of risk transform into the assumption of compromise.

When you adopt this mindset, you are already in line with the planning portion of recovery. Planning for recovery needs to have a focal point, namely, to restore systems, data, access, applications, and users. It can be tempting to go with your gut during a security incident. Panic sets in, we use rules of thumb and bias to guide our decision. But the beauty of NIST is that it gives us an opportunity to develop plans when our emotions are not at a boil.

Beyond planning, the recovery pillar urges us to improve our people, processes, and technology to lower the probability of a repeat occurrence. Of course, past performance is no guarantee of future results and we may think “There’s no time for that”. But perhaps I can encourage you to treat security events like tuition payments. You already footed the bill, so it would be foolish to rob yourself of the education.

Finally, an effective recovery is dripping with good communication. This includes public relations, consumer advocacy, internal guidance, and perhaps even confronting perpetrators in court.

There are three principles of communication to consider:

Is it true?

Is it helpful?

Is it necessary?

By faithfully representing what happened with cold hard facts you avoid having others fill in the details with their own lurid imagination. Tell them (in plain speak) what happened. Naturally people get skittish about security incidents, but you can communicate in a helpful way that reduces panic and prevents exacerbating knee-jerk reactions.And finally don’t blather on and on to anyone about everything. Keep it concise. Share what’s necessary to recover and move forward with more resilience.

There you have it. The five pillars of NIST.

Be sure to subscribe for more cybersecurity insights, and I’ll see you next time.