Data breaches are inevitable and waiting for a breach to occur before designing an incident response plan is a recipe for failure. It’s a question of when the breach will occur and how you will respond, not if you will be breached. 100% prevention simply doesn’t exist, so having a plan to deal with a security breach is now more important than ever. You probably already have an incident response plan from a technical perspective. Phrases such as preparation, identification, containment, eradication and lessons learned. Data breaches make headlines and are often in the public eye, almost on a weekly basis. Given the severe reputational damage that can arise from a high profile data breach a communication plan along with a technical response plan is now a necessity. CISO’s must now learn about public relations and crisis management as the changing facets of the force it to move from a technologist to a business leader. As the role changes you must now consider what is required for communication to your internal and external stakeholders, most importantly your customers and shareholders and to the general public. What will be communicated, how it will be communicated and what will be done to remedy the situation must all be communicated quickly and across multiple mediums to the right audience. Honesty, transparency and accepting accountability are key to successfully saving your organisation’s reputation in the court of public opinion. Breaches are inevitable, but data theft is not. Remember, focusing on all five elements of a comprehensive security program: identify, protect, detect, respond and recover will provide full circle protection and allow you to manage your risk.
In AON’s 2015 Global Risk Management Survey the number 1 risk that keeps senior managers and risk leaders awake is “damage to reputation and brand”. Interestingly enough, at number 7 was “Business interruption” and at number 9 was “Computer crime/hacking/viruses/malicious codes”. An information security breach can certainly give rise to the number 1, 7 and 9 of the top ten risks. Whilst every incident that becomes a crisis must be handled in a different way, there is one factor common to all crises, and that is communication.
How communications are handled with your stakeholders is critical in protecting your organisation’s reputation. How an incident is communicated can either significantly help or hurt how affected customers, employees and shareholders view the company. A crisis in itself can create three types of threats, a threat to public safety, a financial loss to the organisation and/or a loss of reputation. Ordinarily, information security professionals have not had to think too much about public safety, but as more and more smart devices become connected to physical infrastructure, cyber-attacks will have an increasing and potentially devastating impact on the physical world. Some industries will see this before others such as transport management systems, vehicles (think driver less cars) and hospitals. What is very inevitable is the convergence of physical security and information security. Physical security is concerned with the safety and preservation of life and now it will be part of the purview of the information security professional. A failure in information security may result in the loss of human life as information security professionals we can no longer consider security to be just about the confidentiality, integrity and availability of information.
In early 2016 law firm Mossack Fonseca experienced a huge data breach. Eleven million documents were leaked revealing the details of how the rich and famous use tax havens to hide their wealth. The fallout from the breach included the resignation of the Prime Minister of Iceland for not declaring ownership of substantial company share holdings. If you needed tax advice would you go to Mossack Fonseca? I’m thinking you wouldn’t. Loss or damage to an organisations reputation is the number one risk that keeps senior business managers awake at night. Reputation and brand are closely related, but are different, even though the terms are sometimes used interchangeably. Brand is owned by an organisation. It is the organisations promise to its people; it is what the organisation would like its stakeholders to believe is true. Reputation on the other hand is owned by the organisations stakeholders, it is their collective perception of what they believe to be true. An organisations reputation strengthens its brand, but brand does not greatly influence reputation.
A data breach, may in a worst case scenario turn into a crisis. When responding to security incidents, often it’s a case of Murphy’s Law – “what can go wrong, will go wrong, in the worst possible way”. In this type of situation it is important to protect your organisation’s reputation by communicating the right message to the right people at the right time. A key part of crisis management is to have a plan and update it annually. Have a designated team where each member has defined responsibilities. Test the plan annually, this is very important, if you’ve never tested your plan, how do you know that it works? How will the people involved in responding to the incident know what to do if they haven’t had a chance to practice? The table below provides you with some help in determining and assigning tasks and explaining who will do what part of the communications data breach response. It should be used as a guide and tailored to your individual organisation.
|Activity||CMO||CEO||Comms Manager||CIO||CFO||COO||CISO||Legal Counsel||CHRO|
|Form the team
|Determine incident facts and current status||Updates||Updates||Updates||Owner||Updates||Updates||Implements||Updates||Updates|
|Obtain outside PR/comms assistance||Advises||Updates||Owner/
|Obtain outside IR assistance||Updates||Updates||Updates||Updates||Updates||Updates||Owner/
|Prepare communications||Advises||Advises||Owner/ Implements||Advises||Advises||Advises||Advises||Advises||Advises|
|Issue communications via channels||Updates||Updates||Owner/ Implements||Updates||Updates||Updates||Updates||Updates||Updates|
|Monitor social media and stakeholder reactions||Updates||Updates||Owner/ Implements||Updates||Updates||Updates||Updates||Updates||Updates|
Each of the actions is explained below:
- Advises: This individual or group provides input into the steps to be completed or the process to be performed.
- Owner: the individual or group that administers, oversees or manages the process, function or steps.
- Implements: the individual or group that performs the function, steps or actions in accordance with the owners wishes.
- Updates: This party receives updates on status and progress from the Owner.
You should consider using an outside public relations firm if you don’t have the skills in-house.
A crisis can be defined as the “sudden and unexpected creation of victims, accompanied by unplanned visibility for the organisation”. A serious data breach can certainly meet this definition; the release of personal information can lead to identity theft, and in some cases depending on the information, extortion and in a worst case scenario suicide. Pre-draft your crisis messages and web site content ahead of time. Preparing a response to a data breach occurs long before the breach actually happens. A key challenge in a crisis is to minimise negative or hostile media coverage that can undermine the confidence of your customers, employees, shareholders and business partners. Your communications should be quick to establish yourself as the best source of information regarding the breach, explaining what has happened, what your organisation is doing to fix the problem and how you’re keeping any victims safe. In a crisis situation, most commonly, a “holding statement’ is issued as soon as possible. A holding statement provides the media with an initial statement that sets out the basic facts about the incident and lets people know that you’re dealing with the situation. The holding statement should contain as much factual information as is available, however limited it may be, together with a firm commitment to provide further information when it comes to hand. Your statement should describe the immediate steps that have been taken and what you intend to do next. The most important aspect of a holding statement is to be honest. Aim to establish and maintain credibility by acknowledging the facts. Your credibility will depend on your audiences’ assessment and perception of your level of honesty and sincerity so if credibility is lost, trust is lost also. Acknowledge that the information you have is incomplete and may change over time as your investigation continues. When drafting your holding statement consider the following:
- Define and introduce your spokesperson – who are they exactly?
- Keep the statement short and simple, for example, “We understand that there has been a data breach”.
- Explain what your priorities are, “We are working to limit any damage or harm to our valued customers”.
- Explain that the appropriate authorities have been contacted, for example law enforcement and specialist forensic investigators (if applicable).
- Reassure the public of your priorities and assure the public and media that you will keep them updated as more information comes to light.
Prior to an incident ensure that you have told your people how to respond to questions from the press and media, something along the lines of, “Thank you for your question. I am not a designated spokesperson for the company, please go to www.companywebsite.com.au” or contact our communications team.
A statement must always express regret about the situation and be clear on what information you can provide at this time and what cannot be provided. Ensure that you provide a consistent message across all channels, from the company website, your intranet (don’t forget about your employees) and social media. Prepare your call centre for an influx of calls and provide them with a script to ensure that everybody is sending a consistent message. The use of a call centre is important, as those affected must be able to speak to a live person rather than a machine and try to keep wait times to a minimum.
All technical incident response plans must be designed to answer 6 questions, the answers to these questions will allow you to craft your messages and identify who your audiences are.
- What systems and data have been affected?
- How did the attackers do it?
- Who did it?
- Is it over?
- Can it happen again? If so, how?
- How can we stop it from happening again?
In order to communicate what has happened to your stakeholders, it is important to gather and understand all the facts of the breach inside and out. Understand and identify who is impacted and affected, because in turn you’ll use this information to develop your communication messages around those individuals and/or groups. Incidents can be very challenging and having a complete picture of what happened, who did it and why may take days or weeks and require specialist skills that your in-house team does not have. Consider using specialist incident response resources if your in-house team doesn’t have the rights skills and knowledge. Better still, have them on retainer. The time taken to ensure that the right contracts are in place before an incident will let you sleep better at night. You don’t want to be in a situation where you’ve just had a data breach and you’re negotiating contractual terms with the people that can help you the most.
When a crisis or bad news strikes your organisation, the first place that the outside world will turn to for information is your company’s website. There won’t be time to construct a new site from scratch, so consider creating a “dark site’ ahead of time. A dark site is a prebuilt website that can be activated when needed. A dark site positions your organisation as the primary source of information about the crisis and it signals to the news and media that you intend to provide timely and accurate information and it demonstrates that you’re in control and taking your responsibilities seriously. In general your dark site should list all available facts, any special instructions as to what those impacted should do, what steps your organisation is taking and any relevant contact information.
On June 15, 2009, US Airways flight 1549 left New York airport and hit a flock of geese causing the loss of both engines. The plane made an emergency crash landing into the Hudson River, all 155 people survived the harrowing ordeal due to the skill and quick thinking of the pilot, Capt. Chesley “Sully” Sullenberger. This event helped Twitter become a social media powerhouse and it changed the way that the news is reported. The man who started it all is Janis Krums, he twitted, “There’s plane in the Hudson. I’m on a ferry going to pick up the people. Crazy”. He tweeted that to his 170 followers. Exactly 32 minutes later he was being interviewed live on MSNBC and later his photo appeared on the front page of national newspapers. Twitter co-founder Jack Dorsey told CNBC in 2013, “Suddenly the world turned its attention because we were the source of news—and it wasn’t us, it was this person in the boat using the service, which is even more amazing”. The news no longer breaks, it tweets. Social media is an umbrella term applied to web enabled applications that are built around user generated and manipulated content such as wikis, podcasts and social networking site such as twitter, Facebook and YouTube. Social media has created citizen journalists and the age of instant news and direct reporting from those that have been affected in some way. It has forever changed how the public gets their news. This in turn has changed the way that responses to a data breach must be handled such that a response must be immediate; it must include a commitment to two-way dialogue and to being open, honest and transparent about what has happened and what is being done to fix the problem. Social media adds a complexity to communicating in a crisis, the multiple user channels, user control over messages and the real time delivery of these messages makes social media far more complex to manage that the simple press releases of days gone by. The use of social media in your communications plan is no longer optional in the era of instant and always available news. When communicating post breach your goal should be to satisfy your audience and provide sufficient information. Identify those that have been affected, ensure that your messages are correct and consistent so that any corrections are limited. This will make it easier for you to maintain your credibility. The biggest mistakes are not being proactive and not having a full grasp of the facts of the breach before issuing communications. To develop and maintain credibility you must show that your organisation is on top of the situation and has implemented an action plan to control and mitigate against further harm. When structuring your communications, be sure to:
- Admit your mistakes
- Communicate early and often
- Be sure to tell your side of the story before someone else does
- Explain what will be different in the future
Communicating post a data breach is difficult as not all of the facts may be known, but it is always necessary to show concern for the safety of those that have been impacted.
When choosing your communication channels, considering the following:
- Written statement or press release
- Your website
- Email out to those affected
- Call centre scripts
- In store signage
- A written letter
- Social media posts
- Advertising on the radio, in TV or newspapers
- A video message
Notification to those affected by a data breach is mandatory in some parts of world, but not here in Australia. This may change in the near future with the “Privacy Amendment (Notification of Serious Data Breaches) Bill. An exposure draft of the bill was released last year and comments from industry and individuals were requested. The Office of the Australian Information Commissioner (OAIC) however recommends that appropriate disclosures are made in the event of a data breach. There is an obligation for those organisations that must abide by the Privacy Act to put in place reasonable security safeguards and take reasonable steps to protect the personal information that they hold from misuse, interference and loss, and from unauthorised access, modification and disclosure. In the OAIC’s, “A Guide to Handling Personal Information Security Breaches”, reasonable steps, may include the preparation and implementation of a data breach response plan that includes notification to affected individuals and the OAIC. Notification is required where there is the real risk of serious harm. In order to determine if serious harm exists, the following factors must be evaluated:
- The context of the information breach
- Who has the information?
- How could it be used and what type of harm may eventuate?
Once a decision has been made to notify those affected, consider when and how notification should occur and who will make it and who exactly will be notified. Notification may be made via phone, letter, email or in person. The notification should include:
- A description of the incident
- The type of personal information that has been lost
- The organisation’s response
- What type of assistance is available
- Contact details
- How the individual may lodge a complaint to the OAIC
In other countries that do have mandatory data breach notification laws, the demand for identity monitoring and cyber insurance services grows once notification becomes mandatory creating new industries. Post breach notification requirements drive the implementation of incident response processes that may become a source of competitive advantage between organisations.
Nothing beats real world examples, so let’s take a look at three breaches that have made the headlines, Target, Anthem and Sony.
A data breach is bad, but letting someone else tell the world it has happened is even worse. Brian Krebs from www.krebsonsecurity.com leaked the story about the Target breach 6 days before Target acknowledged the situation. Over 40 million credit/debit card numbers were leaked as well as the personal details of over 70 million customers. The sooner the incident is acknowledged the sooner you can start saving face. From the Target breach we learned that organisations must be prepared for the influx of customer complaints and enquiries. Targets Call Centre was over whelmed and its social media channels folded with complaints. Despite initially shaky start, Target was able to pick up its responses by:
- Daily news briefings
- The CEO issuing an apology via video
- Shoppers received a discount
- A web site was created for disseminating information related to the breach
- Providing free credit monitoring for a year to impacted customers
Anthem at the time of the data breach was the USA’s second largest health insurer. Over 80 million customer records were exposed containing personal information like name, address, date of birth, social security number, email address, phone number and salary. Upon discovering the breach Anthem, secured the vulnerability, contact the FBI and engaged an outside security consulting firm. Anthem’s initial efforts were praised by the FBI. Anthem’s response featured:
- The launch of a dark site – anthemfacts.com
- A statement by the CEO
- Release of frequently asked questions (FAQ)
- A phone hotline
- An open letter form the CEO
- Social media releases on Facebook and Twitter
- The provision of credit monitoring and identity protection services to impacted customers
Anthem was quick to respond to customer queries. Most news stories regarding the breach contained direct quotes from Anthem spokespeople, elements of their initials statements and links to the dark site.
Sony’s response to the 2014 incident should stand as a lesson in what NOT to do. The Sony Picture CEO is on the record as stating that Sony had no playbook on how to respond. Sensitive document, embarrassing emails, unreleased movies and the personal information of over 40000 people, both current and former employees was leaked. Sony waited days to respond to the media and missed opportunities to update the public on what was happening.
In short, be prepared, have a plan, test it and make sure that everyone on your team knows what to do when the inevitable data breach occurs.
Wayne Tufek is currently a Director of CyberRisk (www.cyber-risk.com.au). For over 20 years he has formulated pragmatic, business driven strategies to establish, execute and improve cyber risk management in ASX listed companies and some of Australia’s largest organisations across the public sector, Big 4, financial services, consumer products, education and retail sectors. Wayne is a member of Chartered Accountants Australia and New Zealand and holds the SABSA SCF, CISSP, CRISC, CISM, CISA and ISO/IEC 27001 Lead Implementer qualifications. He is frequently asked to present at security conferences and events in Australia and internationally including the ACSC Conference, RSA APJ and CeBit.