How CEOs Should Respond to Data Breaches
The massive “Collection #1” breach of 2019 exposed 772,904,991 unique emails and 21,222,975 unique passwords. The data appears to have been taken from a number of sources, meaning a number of CEOs faced the same question that Mark Zuckerburg, John Legere (Tmobile), Paul Black (Allscripts), Steve Long (Hancock Health), Matt Raoul (Timehop) and others have faced: How do you handle a serious data breach?
It’s a question that’s not going away. While we are in the business of preventing breaches, the cases in the news reveal a spectrum of post-incident responses from CEOs, for better or for worse. Let’s take a look at a few examples:
CEOs Who Got it Right
Though it’s not always easy to acknowledge a problem, customers tend to respond best to candor from vendors. Consider a case where the opposite happened: Allscripts, a health IT company, was the victim of a January 2018 ransomware attack which prevented patients from getting prescriptions. The problem first came to public attention thanks to a patient, and not the company. The company eventually made a statement, but neither the CEO nor any other executive gave a clear account of what happened or of remediation steps. Service was eventually restored, but not before being subject to much criticism from patients, with some even suing. Although the case was dismissed, this chain of events that could result in a subsequent loss of credibility is something that every company would want to avoid.
Public statements issued by John Legere (Tmobile), Steve Long (Hancock Health), and Matt Raoul (Timehop) are excellent examples of how to properly handle a crisis. Each is clear and to the point. Although they were not issued immediately after the breach, they show empathy for customers, discuss the issues involved clearly, as well as the remediation actions implemented.
Despite their similarities, each takes a somewhat different approach:
- Legere expresses personal anger at the breach and offers compensation to all T-mobile customers, not just those directly affected by the problem. He specifies which information was exposed and which wasn’t and points subscribers to a company FAQ website, which others should learn from.
- Long’s letter is a detailed narrative of what happened and is an excellent example of the power of full disclosure. Technical details and logistical considerations are spelled out clearly, including the decision to pay the ransom. He also praises his employees for their attitude and for keeping all services running throughout the crisis.
- Raoul offers not only a detailed discussion of what happened but also a separate minute-by-minute technical account. Both expose a great deal of information not generally disclosed, including the actual database columns exposed and a candid discussion of mistakes made in the crisis.
You’ve Just Been Breached – Now What?
In addition to clear communication with outside authorities, customers, and stakeholders, it is recommended that following security breaches CEOs lead their company through a swift recovery by taking these internal steps:
Damage Control/Damage Limitation. Specifically:
- Freeze everything. Cyber response should take their cue from doctors when facing an emergency: First, do no harm. Take the affected devices offline without shutting them down or making changes. At this point, you don’t want to take any steps beyond isolating the “infection” before assessing the impact of such actions. Also, this avoids inadvertently alerting the attacker that the problem was detected.
- Ensure auditing/logging. Ensure these weren’t disabled in the attack. They will aid your investigation, verify that remediation succeeded, and help you meet regulatory requirements.
- Change passwords. This will stop the breach, though it won’t deal with the damage which has already been done.
- Assess the damage. What was attacked and how? Besides giving you information about the scope of the damage, this will help you identify any malware that was inserted.
- Determine how it happened. In addition to determining the technical details of the attack, it’s important to know if any security procedures were broken.
- Determine which actions need to be taken and execute them. Solutions range from patching, changing configuration parameters to using a firewall and each one comes with its own risk, which must be speedily assessed. It is generally recommended to notify customers and others at this point unless legal requirements dictate otherwise.
- Perform a security audit. Focus on what needs improving in light of the breach. Besides “obvious” measures such as a DNS audit, it’s important to check your company’s attack surface, since this is publicly accessible information.
- Scrutinize your breach response plan. Make sure that your company revises its policies and best practices. New circumstances always call for revisions and it will certainly be necessary to reflect on how well the company followed the plan and if changes need to made to it for the future.
The Bottom Line
There’s no easy way to handle a breach, but the experience of the CEOs profiled above shows that transparency really is the best policy. CEOs must acknowledge the problem, and demonstrate that it’s being taken care of; that their customers’ concerns are legitimate and that some form of compensation may follow.
Despite the commendable responses, high costs were incurred. From exposing huge amounts of detailed private information publicly (technical, logistical, personal failings), to paying out large sums of money to customers and hackers, these are the ordeals all executives are desperate to avoid.
One of the most surprising takeouts from several high-level breaches is that many were caused by known vulnerabilities. There are two points that can be surmised from this:
- If vulnerabilities are resolved effectively and at the right time, many exploits could be prevented.
- Enterprises of all sizes can fail to orchestrate a robust vulnerability management strategy. This could be a result of a variety of reasons. Either way, as the number of breaches continues to grow year on year, CISOs who don’t update themselves with the latest best practices and tools will face the consequences.
A good risk-based vulnerability remediation solution continuously monitors threats and assesses vulnerabilities. Continuous monitoring and remediation, powered by automation, will assure that any CEO is in the best possible position to respond if and when a breach occurs.