Saturday, July 1, 2023

How A CISO Needs To Handle PR After A Data Breach: 3 Golden Tips

 


As I mentioned in one of my earlier blogs last week or so, it is data that is the lifeblood of any business today.  Whether it is quantitative, qualitative, Big Data, you name it, it is what makes Corporate America move forward.  The same can even be said of AI and ML systems.  They need data (and large amounts of it) in order to get the job done for you. 

But the Cyberattacker, seeing how valuable all of this, has now made stealing it one of their top priorities.  This is technically known as “Data Exfiltration”.

Typically, this happens on a very covert level, and in fact, you probably won’t even recognize that it is happening to you.  The primary reason for this is that the Cyberattacker is taking it out very slowly, so that no alarms or warnings are triggered. 

But you won’t realize that you have become a victim until it is too late.  At this point, it is quite likely that the Cyberattacker will attempt to launch an extortion attack, or even to sell the heisted data sets on the Dark Web.

Now, consider this statistic:

In 2022, there were almost 2,000 instances of Data Exfiltration that impacted almost 422 million victims, both individuals and businesses.  This is according to the latest market research report from the Identity Theft Resource Center.  More information on this can be seen at the link here:

https://www.idtheftcenter.org/post/2022-annual-data-breach-report-reveals-near-record-number-compromises/

In the end, we can all become victims of a data breach.  It’s just the way that the world has become.  But now the key thing to do here is to try to be as proactive as possible, and to mitigate those risks from happening to you.  But suppose you are impacted by this?  What do you?  Well, in terms for a business, here are some steps to follow:

1)     Notify your customers:

The first thing that the Cyberattacker is going to go after are the PII datasets of your customers and even your employees.  So once the “aha” moment comes and you realize that you have been impacted by a security breach, you need to immediately contact your customers.  If your company is small enough, the best approach here would be to personally contact all of your customers and let them know what happened.  Or the next best alternative is (if a lot of them have been impacted) to send each one of them in an email and a snail mail letter.  But don’t make this a last priority.  It should be your first!!!  Why I say this is that not only is it both your legal and moral obligation to do this, but by quickly notifying your customers, they will feel that you really do care about them, and the probability will be higher that they will stick with you.  If you don’t take this approach, you might as well say goodbye to all of them.

2)     Inform all relevant stakeholders:

When I say “stakeholders”, I am referring to your C-Suite, Board of Directors, third party suppliers, shareholders, etc.  They too deserve to know what has happened, and how corrective actions are being taken.  But with this group of people, you can divulge out more information, which should include the following:

 

*What datasets were stolen

*How they were stolen

*Details of all of the parties that have been impacted

*When the security actually happened

*How quickly your IT Security team responded

*What immediate corrective actions have been taken

*If law enforcement and the relevant regulators have been informed

*What steps have been taken to take care of customers (such as have they been notified, are       they being offered free credit reports, etc.)

*How the impacted parties can reach out to get more information

In this aspect, it is important to keep in mind that each state has their own laws about notifying impacted parties, but this is no excuse.  As a CISO, it is your responsibility to alert individuals that have been affected!!!

3)     Take responsibility:

If you have been hit with a security breach, apart from notifying the relevant parties (as just described), you also have to make a public statement about it as well.  This is where you, the CISO, need to take full accountability and responsibility for what has happened.  After all, you are the captain of the ship that it trying to protect the most valuable assets of your business.  Don’t “pussyfoot” about it, or try to point the fault at others.  Just come, say what happened, and accept it.  This will carry a long way in the eyes of the public and in terms of your brand image/reputation, rather than trying to hide and lie about things.  In fact, a recent study has shown that 25% of customers are very unforgiving of a company if they are not told the truth about what has happened, when it comes to a security breach.  More information about this can be seen at the link below:

https://www.aflac.com/docs/about-aflac/csr-survey-assets/2019-aflac-csr-infographic-and-survey.pdf

My Thoughts On This:

Finally, as the CISO, you need to far beyond the minimum what the law and data privacy regs mandate that you must to do.  You really have to bend over backwards and help all of those that have been impacted.  In fact, these kinds of processes should be included in your Incident Response Plans.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...