We’ve all heard the phrase “there are two types of companies: those who have been breached and those yet to discover it,” but beyond that, there is the issue of knowing how to respond.
Too many times the response to a breach has been the most memorable part, and usually for the wrong reasons. Seeing a CEO interviewed on national television in response, or publicly speaking on what happened, can have positive and negative effects on your company, customers, and reputation.
With an attempt to ensure that there are better guidelines in place in how to do a decent response, two academics recently put together a whitepaper (also available here) named “A framework for effective corporate communication after cybersecurity incidents.” Authored by Richard Knight from the University of Warwick, and Jason Nurse from the University of Kent, it claimed the “research seeks to tackle this problem through a critical, multi-faceted investigation into the efficacy of crisis communication and public relations following a data breach.”
The paper is drawn on a review of academic literature and industry and CISO surveys, and aims “to improve the understanding of what constitutes effective and poor external communication following such incidents.”
Speaking to Infosecurity, Nurse said the idea for the whitepaper came from seeing data breaches in the news time and time again, and while the number of attacks has increased, “the response that companies have is often quite lacking in terms of knowing what to say” and this is leading to speculation on why and what happened.
“So we were interested in understanding the question of how companies should respond after a data breach in terms of corporate communications and public relations,” he said. “There is a lot of stuff in security in terms of incident response, but in terms of actual communication and what you should say and how you should say it, that is really lacking.”
Nurse said that as well as academic papers and CISO interviews, they also looked at commentary from the likes of Troy Hunt, Graham Cluley and Bruce Schneier to understand what sort of responses looked good and bad, and compare these sources to see what could be seen as a set of best practice.
This led to the development of a framework of best practice, with a focus on security and crisis response, which he said they didn’t want to be too academic “that businesses could not use.”
As for the framework, Nurse said this is split into two areas, “as you cannot prepare for after the breach unless you’ve done some pre-breach or pre-event work.” So there is one focus on pre-event, and the other on cyber-crisis as a post-event.
The points are broken down into components you can consider or use, and guidance on legislation and whose data you hold. On the post-breach side, there is focus on different areas such as disclosure, and when and how to disclose, and framing the message in terms of accepting responsibility.
“In some cases, the victim would come out and say ‘it’s the attacker’s fault and they should be blamed, it’s not our fault’,” Nurse said. However, your customers have entrusted you with their data, and it is not good to offload the blame to an attacker.
"You cannot prepare for after the breach unless you’ve done some pre-breach or pre-event work"
He also said there was advice where if you’ve suffered and disclosed breaches in the past, don’t say “we take security seriously” as this just antagonizes individuals.
In terms of when to disclose, Nurse said there is often the dilemma on what you disclose and do you under or over-estimate the amount of records and customers impacted? He recommended avoiding under-estimating, and recognize that this if this is done badly, the media coverage can begin all over again.
There is also the issue of using social media, and not having a united message on what happened, “as the company says something, and then someone says something else that is the wrong thing, and that results in trending news.”
Pointing at the Equifax breach as an example, Nurse said this was an interesting case study as we saw the company try to release the website to see if you were impacted, but phishers set up phishing websites that looked similar. “There is a lot to consider there; it is not just to release a website, but how you release it properly.” Also if you’re sending lots of emails, consider that mail servers may see that as spam or even an attack and begin blocking the messages.
Nurse said that the intention of the paper was to emphasize that it is important to brief the staff, as you should have a communications strategy for them on what is happening, and how the company has been impacted. “It is really important to keep staff briefed on what is going on, and this is part of the guidance, and keep the message clear, avoid jargon and when it comes to certain levels of message, it should come from the CEO or chairman,” he said. “That is the best way to show that the company is taking security seriously.”
He said this is where an authoritative voice can work, as putting someone up who doesn’t know what to say “is going to result in more fall out.” Having the wrong message can impact the organization, as well as how they are viewed in the eyes of stakeholders, consumers and this can impact share price.
Nurse said the work on this framework took around a year, as he and Knight did a triangulated approach to produce this guidance, “and we’re really happy to see this level of take up as it is exactly what we wanted to do, and we were really surprised that there is nothing else like this out there.”
“It’s a really tricky area where we could find so much security perspective, but in terms of communications and PR, there was nothing as how you communicate to individuals afterwards can have a serious impact upon the business, and it needs to be considered as a core part of incident response and business continuity strategies.”