Cyber-security incidents are dramatically increasing across all industries, as communication conveniences leave us more vulnerable to risks than ever.
Consider the Target breach that exposed the credit card data of 40 million customers during the 2013 holiday shopping season, or the eBay incident that was the result of a social engineered attack that resulted in the compromise of more than 100 million user records.
What if such a breach happens to someone affiliated with your organisation, such as a board member? Imagine that your company has potentially suffered a security incident. Records may have been compromised, but you don’t know for sure. In fact, you aren’t even sure if there was an intrusion into the network. Perhaps an employee accessed an unauthorised database.
When an incident happens, the reaction is often to cry “data breach,” which gets reported to — and repeated by — the board of directors. That phrase, uttered publicly by someone with major organisational stature and influence in the absence of context, could create a snowball effect of legal, public relations, and compliance steps that could end up costing the company a great deal.
Why Language is So Vital
When discussing an alleged security situation, the word breach is often used. Yet when many people hear the word breach, people often have a tendency to assume the worst—credit information stolen, for example, putting bank balances at risk. While this did happen with Target, which necessitated filing claims, replacing credit cards, and monitoring activity, not all breaches extend this deep. For instance, in eBay’s case, remediation consisted of changing a password.
The key to owning the publicity around such security violations often lies with getting ahead of the story, and ensuring any use of the word breach is accompanied by apologies and clear information about the steps a firm is taking to fix the issue.
“Applying a typical crisis model doesn’t work for modern attacks,” notes the International Association of Privacy Professionals. “Be careful claiming the issue is fully resolved; be cautious of numbers being communicated,” because one of the worst things that can happen is board members publicly assuring customers the issue has been contained — only for it to get out that it’s worse then it appears.
Consider Other Words
What are the ways that organisations should react to a security event? During a panel discussion at the Enfuse Conference 2016, experts like Ed McAndrew, formerly with the U.S. Department of Justice, agreed that breach is a loaded word that shouldn’t be used because of the panic and legal issues that are triggered. Unless you are the person who is investigating the threat, you do not know the exact points of compromise, and by using the word breach, you may be providing false information.
“There are other types of security incidents, such as impersonation, denial of service and website defacement that don’t involve the theft of sensitive personal data and are very different in the eyes of the law and for purposes of regulatory compliance,” Kate Brew wrote for Alien Vault’s blog.
Instead, organisations should consider using terms like incident or event, which are less loaded than breach. Even these terms have different meanings.
- Security breach involves stolen or compromised data and has legal ramifications.
- Security incident is “an event that violates an organisation’s security or privacy policies involving sensitive information such as social security numbers or confidential medical information,” according to Mahmood Sher-Jan’s post for ID Experts.
- Security event is “any observable occurrence in a system or network,” according to the National Institute of Standards and Technology.
Organisations aren’t required to notify law enforcement or the public about security incidents. However, a data breach must be reported. In the U.S., 47 states, as well as Washington, D.C., Guam and Puerto Rico, have laws requiring companies to report any data breach that compromised consumer information, according to the National Conference of State Legislatures.
A Transparent Process is Always Required
Looking back on well-publicised data breaches, it’s clear that organisations that proceed with an ongoing and transparent process engender more trust with the public. When board members discuss information surrounding a security incident, they should approach the situation with appropriate caution. Instead of communicating all of the information that was lost or stolen, explain the impact on the public and impact on the organisation. Additionally, the public should be informed about what they should do to keep their accounts safe. Finally, when speaking on behalf of the organisation, board members should use terms that clearly represent the incident as presented by IT and security personnel and not wander off script with generic terms like data breach.
It is vital for an organisation to have an understanding about the nuances of cyber security and the different roles the various departments have to play in these situations. The more they know and the more they understand that words matter, the more likely they’ll be able to take the appropriate steps that can end up saving the company in reputation and costs.
September 7, 2020
Avoiding Cyber Confusion in the Board Room
It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size. The article outlines five key steps…
August 20, 2020
Minimising the Risk of Virtual Meetings: 5 Practices Boards Should Avoid
Months into the COVID-19 lockdown, remote workers—and board members—have become more accustomed to virtual meetings. They’ve found a quiet place in the house, mastered the mute and camera buttons, and fully styled their background bookcases and “Zoom couture.” Yet as virtual work becomes a way of life, not all adaptive…
January 30, 2020
Voice Assistants in the Boardroom: The Pro’s and Con’s
Australians are going crazy for voice assistants – they are selling faster there than in the US, according to Voicebot.ai, and 5.7 million Aussies already have them. They are becoming popular in New Zealand too, reportedly, although there has been some scarcity…