Uncategorized

Communication Matters, Especially During a Security Incident

Cyber-security incidents are dramatically increasing across all industries, as communication conveniences leave us more vulnerable to risks than ever.

Consider the Target breach that exposed the credit card data of 40 million customers during the 2013 holiday shopping season, or the eBay incident that was the result of a social engineered attack that resulted in the compromise of more than 100 million user records.

What if such a breach happens to someone affiliated with your organisation, such as a board member? Imagine that your company has potentially suffered a security incident. Records may have been compromised, but you don’t know for sure. In fact, you aren’t even sure if there was an intrusion into the network. Perhaps an employee accessed an unauthorised database.

When an incident happens, the reaction is often to cry “data breach,” which gets reported to — and repeated by — the board of directors. That phrase, uttered publicly by someone with major organisational stature and influence in the absence of context, could create a snowball effect of legal, public relations, and compliance steps that could end up costing the company a great deal.

Why Language is So Vital

When discussing an alleged security situation, the word breach is often used. Yet when many people hear the word breach, people often have a tendency to assume the worst—credit information stolen, for example, putting bank balances at risk. While this did happen with Target, which necessitated filing claims, replacing credit cards, and monitoring activity, not all breaches extend this deep. For instance, in eBay’s case, remediation consisted of changing a password.

The key to owning the publicity around such security violations often lies with getting ahead of the story, and ensuring any use of the word breach is accompanied by apologies and clear information about the steps a firm is taking to fix the issue.

“Applying a typical crisis model doesn’t work for modern attacks,” notes the International Association of Privacy Professionals. “Be careful claiming the issue is fully resolved; be cautious of numbers being communicated,” because one of the worst things that can happen is board members publicly assuring customers the issue has been contained — only for it to get out that it’s worse then it appears.

Consider Other Words

What are the ways that organisations should react to a security event? During a panel discussion at the Enfuse Conference 2016, experts like Ed McAndrew, formerly with the U.S. Department of Justice, agreed that breach is a loaded word that shouldn’t be used because of the panic and legal issues that are triggered. Unless you are the person who is investigating the threat, you do not know the exact points of compromise, and by using the word breach, you may be providing false information.

“There are other types of security incidents, such as impersonation, denial of service and website defacement that don’t involve the theft of sensitive personal data and are very different in the eyes of the law and for purposes of regulatory compliance,” Kate Brew wrote for Alien Vault’s blog.

Instead, organisations should consider using terms like incident or event, which are less loaded than breach. Even these terms have different meanings.

  • Security breach involves stolen or compromised data and has legal ramifications.
  • Security incident is “an event that violates an organisation’s security or privacy policies involving sensitive information such as social security numbers or confidential medical information,” according to Mahmood Sher-Jan’s post for ID Experts.
  • Security event is “any observable occurrence in a system or network,” according to the National Institute of Standards and Technology.

Organisations aren’t required to notify law enforcement or the public about security incidents. However, a data breach must be reported. In the U.S., 47 states, as well as Washington, D.C., Guam and Puerto Rico, have laws requiring companies to report any data breach that compromised consumer information, according to the National Conference of State Legislatures.

A Transparent Process is Always Required

Looking back on well-publicised data breaches, it’s clear that organisations that proceed with an ongoing and transparent process engender more trust with the public. When board members discuss information surrounding a security incident, they should approach the situation with appropriate caution. Instead of communicating all of the information that was lost or stolen, explain the impact on the public and impact on the organisation. Additionally, the public should be informed about what they should do to keep their accounts safe. Finally, when speaking on behalf of the organisation, board members should use terms that clearly represent the incident as presented by IT and security personnel and not wander off script with generic terms like data breach.

It is vital for an organisation to have an understanding about the nuances of cyber security and the different roles the various departments have to play in these situations. The more they know and the more they understand that words matter, the more likely they’ll be able to take the appropriate steps that can end up saving the company in reputation and costs.

Featured Blog