I don't think I'm alone as a business owner when I worry about the possibility of being breached. There must be many more like me who over the years have detected something which suggests that the worst has actually happened. Fortunately, "touch wood" these incidents are few and far between and they have all been false positives, especially for the sake of my heart and prematurely ageing by around 10 years with each such incident. Though having responded to numerous actual incidents, where the hackers have been rummaging around the digital "knicker drawers" for years without being detected, there is always that niggling doubt at the back of my mind.
"...hackers have been rummaging around the digital knicker drawers for years..."
Whilst a big part of our Incident Response Planning Service focusses on Forensic Readiness, we also cover Crisis Communications and work with the client on a few boiler plate press releases which will meet the client's desired approach to numerous situations. When it comes to notifying the world, some businesses prefer to keep their cards close to their chest, though we recommend transparency. The reason behind having boiler plate press releases prepared before the crisis, is that trying to be a creative wordsmith after at least 24 hours of stress without any sleep isn't likely to happen, moreover, you have more important things to do, like saving your business. Better by far to have the pleasantries prepared and you just fill in the detail when you are ready to release. We'll cover successful approaches to announcing that you've had a breach a little later.
Stop all the clocks, cut off the telephone,W H Auden
Prevent the dog from barking with a juicy bone,
Silence the pianos and with muffled drum
Bring out the coffin, let the mourners come.
Part of the Crisis Communications preparatory work is around who is informed in what order, in addition to any regulatory requirements such as GDPR, the Information Commissioners Office (ICO) and others, consider your suppliers, clients, share holders and anyone else with a vested interest in knowing that you have been breached. The last thing you need is for them to learn about it on the 6 o'clock news. It is also vital to consider whether the breach may result in an onward compromise, for instance where an email account has been breached and emails with malicious content are being sent to the entire contact list of the oor member of staff who fell victim to a phishing email and where you may be held as liable. In this instance will earlier notification to those effected be of benefit to them?
Don't forget to have the details of who to contact available offline with their contact details, it would be somewhat ironic if the attackers deleted or encrypted this information!
Another vital element to breach reporting is rumour control. As a business responsible for responding to incidents we are regularly contacted by friends and acquaintances when they hear a rumour that this company, or that company have been breached and they may need our help. Occasionally, these rumours find their way to the media and control of the situation can be lost. There are a number of ways to address the issue of staff disclosing the breach prematurely, usually via email or social media. Including a statement in employees contracts of employment, reminding them during their regular security briefings and a further reminder when the breach is first discovered. This must include their friends, family and even their partners, the temptation to gossip can be too much for some people.
The way in which you disclose a breach may perhaps not make, but could certainly break your business. If there are no regulatory requirements, or if you choose to ignore them, you may be inclined to sweep them under the carpet and say nothing. Provided the breach isn't discovered at a later date there will be no PR impact. However, if you are caught out, the consequences could be dire, as any trust in your business would be broken. It is also worth bearing in mind that many hackers will release information about a breach, sometimes years later.
The Twitter breach which is still ongoing (July 2020) is an interesting example of transparent reporting, obviously through the medium of a Tweet. Many of us are reaching the realisation that it's no longer a case of if a business will be breached, but rather when. The stigma and corporate shame of a breach is diminishing, provided the business in question was taking cyber security seriously and had implemented appropriate measures to guard against such an issue. Though in reality the details around the compromise won't be released in detail until long after the incident, probably just as the business was starting to regain their reputation.
With the perceived inevitability of a compromise in mind, perhaps we are better staying with a business which has been breached, provided the business has learned from the situation and improved their security. In past years we were all too often called in to a business to respond to an incident and as soon as they are out of immediate danger, they would bury their heads back in the sand and continue in exactly the same way as they were before and without investing in cyber security. This attitude is thankfully changing, due in part to the financial penalties imposed by GDPR, but also there is an increased awareness about cyber security at all levels.