As I mentioned in one of my earlier blogs last week or so,
it is data that is the lifeblood of any business today. Whether it is quantitative, qualitative, Big
Data, you name it, it is what makes Corporate America move forward. The same can even be said of AI and ML
systems. They need data (and large amounts
of it) in order to get the job done for you.
But the Cyberattacker, seeing how valuable all of this, has
now made stealing it one of their top priorities. This is technically known as “Data
Exfiltration”.
Typically, this happens on a very covert level, and in fact,
you probably won’t even recognize that it is happening to you. The primary reason for this is that the Cyberattacker
is taking it out very slowly, so that no alarms or warnings are triggered.
But you won’t realize that you have become a victim until it
is too late. At this point, it is quite
likely that the Cyberattacker will attempt to launch an extortion attack, or
even to sell the heisted data sets on the Dark Web.
Now, consider this statistic:
In 2022, there were almost 2,000 instances of Data Exfiltration
that impacted almost 422 million victims, both individuals and businesses. This is according to the latest market research
report from the Identity Theft Resource Center.
More information on this can be seen at the link here:
In the end, we can all become victims of a data breach. It’s just the way that the world has become. But now the key thing to do here is to try to
be as proactive as possible, and to mitigate those risks from happening to
you. But suppose you are impacted by
this? What do you? Well, in terms for a business, here are some
steps to follow:
1)
Notify your customers:
The first thing that the
Cyberattacker is going to go after are the PII datasets of your customers and
even your employees. So once the “aha”
moment comes and you realize that you have been impacted by a security breach,
you need to immediately contact your customers.
If your company is small enough, the best approach here would be to personally
contact all of your customers and let them know what happened. Or the next best alternative is (if a lot of
them have been impacted) to send each one of them in an email and a snail mail letter. But don’t make this a last priority. It should be your first!!! Why I say this is that not only is
it both your legal and moral obligation to do this, but by quickly notifying
your customers, they will feel that you really do care about them, and the probability
will be higher that they will stick with you.
If you don’t take this approach, you might as well say goodbye to all of
them.
2)
Inform all relevant stakeholders:
When I say “stakeholders”, I am
referring to your C-Suite, Board of Directors, third party suppliers,
shareholders, etc. They too deserve to
know what has happened, and how corrective actions are being taken. But with this group of people, you can divulge
out more information, which should include the following:
*What datasets were stolen
*How they were stolen
*Details of all of the parties that
have been impacted
*When the security actually
happened
*How quickly your IT Security team
responded
*What immediate corrective actions
have been taken
*If law enforcement and the relevant
regulators have been informed
*What steps have been taken to take
care of customers (such as have they been notified, are they being offered free credit reports, etc.)
*How the impacted parties can reach
out to get more information
In this aspect, it is important to
keep in mind that each state has their own laws about notifying impacted parties,
but this is no excuse. As a
CISO, it is your responsibility to alert individuals that have been affected!!!
3)
Take responsibility:
If you have been hit with a
security breach, apart from notifying the relevant parties (as just described),
you also have to make a public statement about it as well. This is where you, the CISO, need to take
full accountability and responsibility for what has happened. After all, you are the captain of the ship
that it trying to protect the most valuable assets of your business. Don’t “pussyfoot” about it, or try to point
the fault at others. Just come, say what
happened, and accept it. This will carry
a long way in the eyes of the public and in terms of your brand
image/reputation, rather than trying to hide and lie about things. In fact, a recent study has shown that 25% of
customers are very unforgiving of a company if they are not told the truth
about what has happened, when it comes to a security breach. More information about this can be seen at
the link below:
https://www.aflac.com/docs/about-aflac/csr-survey-assets/2019-aflac-csr-infographic-and-survey.pdf
My Thoughts On This:
Finally, as the CISO, you need to far beyond the minimum
what the law and data privacy regs mandate that you must to do. You really have to bend over backwards and
help all of those that have been impacted.
In fact, these kinds of processes should be included in your Incident
Response Plans.
No comments:
Post a Comment