I hope you’re reading this at a time when you’re not in the midst of a response to an actual breach, but rather for your own edification during a time of relative peace and quiet. If people are out there doing internet searches on “what to do after a breach” to learn what to do after experiencing a dire emergency, I suspect computer security problems are merely one symptom of their professional woes. Whether or not you’ve yet been hacked, the best time to start designing and practicing your breach response is long before an attack has been discovered. There’s no time like the present to get started preparing for emergency.
I’m sure we’ve all seen some variation on the theme of Public Service Announcements where we’re encouraged to prepare a kit full of things that are useful in an emergency, whether that’s fire or earthquakes or our car breaking down in a snowstorm. While data breaches may be somewhat less “life or death” than any of these situations, that does not mean we should postpone dealing with them until we’re in the midst of an emergency.
As we prepare to say farewell to 2017, we have to admit that the past year has brought plenty of painfulexamples of companies responding sub-optimally to their own breach events, which made the reputational consequences much more severe. As with any sort of crisis, the more information and awareness you have going into the crisis, the less overwhelming and painful it is to get past it. This holds true whether you’re the primary target of the attack or a customer whose information was stolen.
Below are the five things to include when building your breach preparedness kit. (For additional insights, I recommend watching this on-demand webinar, Data Breaches and the New Threat Landscape: Why Prevention is Key.)
1. Make a list of steps to take and keep it updated
This list is sort of analogous to the information you would give to a babysitter. Who needs to be contacted in case of emergency, and in what order? What actions need to be accomplished, in what specific circumstances? This post by my esteemed colleague Denise Giusto Bilić can help you understand the types of actions that need to be completed, which you can then tailor to the needs of your own organization.
That list needs to be regularly updated so that you’re not giving instructions for processes that no longer exist, or asking emergency responders to contact someone who has moved on to another position, who has left the company, or is on vacation. It needs to be kept (encrypted, to keep it from thieves’ prying eyes, please!) somewhere that is easy to find and revise, so people don’t have to spend precious time scrambling to unearth it.
2. Create a template response—in advance
Unsurprisingly, messaging that announces bad news is a very delicate and sensitive task. This is maybe not a task you want to delegate to someone in the midst of a chaotic situation, and it is definitely something you should be creating in consultation with your legal department or an attorney who has experience in Data Breach Notification law. You can avoid this situation by creating a template response in advance, so that emergency responders can focus on providing accurate and timely information.
Many companies err on the side of waiting to notify people until investigations are over, which tends to leave customers feeling quite resentful. Even before you have all the information about what has occurred, you can let people know that there has been a problem so that they can take steps to protect themselves. Don’t underestimate the power of the warm fuzzies that can be gained by regular updates to your affected customers, even if those missives don’t provide much in the way of new information. Suffice it to say it’s a good idea to run any text by an editor so you don’t end up sending something out that still has place-holder text.
Remember that customers often see data breaches as a breach in trust; you need to keep them updated regularly with current information as a part of rebuilding that trust.
3. Prep a webpage
As with a messaging template, it’s a good idea to have a webpage set up and stored (almost) ready to go, so that most of the heavy lifting is already done. This will save time and reduce potential errors, since you can thoroughly check and test code and assess the clarity of your text at a time pre-breach when people are still presumably calm and collected.
Whether you choose to use a whole separate domain or just a page on your existing site, make this decision beforehand and communicate it clearly when an emergency arises. It is a good idea to keep the URL fairly short so that it can be easily sent on a variety of different messaging platforms, or read on short radio or television clips. It is probably a good idea to register any domains that sound similar or might be mis-typed in order to reduce phishing and scams by criminals.
4. Implement encryption and 2FA
After a data breach, companies often offer improved security measures to their customers, to help mitigate any harm that has been caused. In the case of credit monitoring, it does make sense to offer this only after an attack has occurred. But if you are prepared to consider offering something like improved authentication options after a breach, you can save yourself the significant cost of reputation loss by adding those options before a problem happens.
Implementing and then advertising your use of security- and privacy-enhancing measures can be a market differentiator to improve brand loyalty. Most people may not understand Salting & Hashing or Network Segmentation, or appreciate the science behind data encryption and two-factor authentication (2FA), but they will appreciate knowing that no one else can access their passwords and other sensitive information.
See what 2FA can do for you: Watch this webinar, Not Optional: Why Your Business Needs 2FA Now.
5. Test your policies and procedures
Once or twice a year, test your data breach response program by simulating an incident, and go through the steps of responding as you would as if it actually occurred. Some businesses already do this in concert with crisis management consultants. Injecting some scenarios from case-studies of other companies’ data breaches can make yours more realistic and help better prepare your business.
No business is too big or too small to be a target of attacks. If you have any sort of information that is of value to anyone – whether or not you understand how that data can be monetized or weaponized – there is a criminal out there who would be happy to steal it. We have long since passed the point where companies should be considering whether they might be breached; it is now a matter of when. By taking the time to prepare for that sort of emergency, your business can better weather the storm.