From small businesses to enterprises, everyone’s at risk of a data breach. In fact, statistics indicate it’s only a matter of when, not if, until your business will fall victim to one. That’s why you must prepare yourself for such an event, with a detailed and clear plan of response. Here’s how.
Data breaches aren’t loud or dramatic when they occur. They happen quietly and, on the surface, nothing much changes as a result.
That’s what a friend of mine discovered when her old company, Yahoo!, experienced a catastrophic data breach.
“It seemed like a really small thing at first,” she tells me. “I barely glanced at the memo. I don’t think we understood the importance of data protection back then at all. Even though we thought we did.”
My friend wasn’t involved with cybersecurity at Yahoo! at all – she describes her job as “very junior number crunching.”
But a huge cybersecurity breach was gearing up to deal a devastating blow both to this multinational corporation and to my friend.
|Want to jump ahead? |
The cost of data breaches Is prevention better than the cure? How should you respond to a data breach? What does a good data breach response look like? Conclusion: respond quickly, do what you can to prevent, and run CSIRP
“I kind of remember a conversation with a colleague when we were like ‘Oh it’s nothing, people give out their email addresses to do those Facebook quizzes and stuff! Who cares?’” she said.
It’s an attitude we all remember from those innocent times before Cambridge Analytica.
In fact, the consequences of this breach for the company were devastating.
“Ultimately it put me and lots of my colleagues out of a job. And the company has never recovered.”
The cost of data breaches
Cyber security and data protection are increasingly enshrined in law around the world.
In Europe, the GDPR prohibits companies from collecting and/or selling personal data without permission. Punishments for those who breach the GDPR are severe with fines up to €20m.
Meanwhile, in the US, various states are considering (or have already introduced) data protection regulations. California’s groundbreaking CCPA is setting the tone for legislation to follow within other states.
There are data security software like Hotmark that are great for monitoring and protecting email lists and databases, but there’s no solution that can prevent a breach.
Having said that, you can reduce the amount of breaches and damage, and as I’ll explain later, it has everything to do with the way you respond.
Companies need to combine security software with stringent security protocols. The best cybersecurity policies aren’t just about protecting data. They also establish strategies for dealing with data breaches if and when they occur.
My friend agrees. “It’s not so much the breach which was the problem,” she explains, “although obviously that was pretty bad. It was the slow response, and the way they dealt with it.”
Ultimately, Yahoo! had absolutely no idea how to deal responsibly, honestly, and gracefully with a cyberattack which compromised the data of millions.
“There was no plan!” my friend says, “management basically said ‘Pretend everything is normal and don’t tell the media’. And that was it! They didn’t even bother to investigate!”
Ultimately, the company was forced during takeover talks to reveal the attack. The consequences were immediate. Hundreds of millions of dollars were knocked off the company’s value within hours, reducing it by almost 90%. The media outcry which followed caused the company to hemorrhage customers.
“They weren’t so much angry about the breach as they were about the response.
I don’t think anyone had suffered any real problems because of it,” my friend explains, “they were fuming that they hadn’t been told, that it hadn’t been properly investigated, that they’d tried to cover it up.
They didn’t feel they could trust the service anymore. And when you can’t trust a service, you leave it.”
And those customers took my friend’s job with them, along with hundreds of other employees that the company could no longer afford to retain.
“It couldn’t have come at a worse time”, my friend says, “I had to cancel my wedding because we couldn’t afford it without me working. And we couldn’t put down a deposit on a mortgage like we’d been hoping. It was devastating.”
Devastating, and frustratingly avoidable.
Is prevention better than the cure?
Preventing cyber attacks is often where companies put the majority of their cyber security efforts. It’s certainly where Yahoo! put their resources. And it’s definitely worth doing.
However, the cybersecurity statistics are sobering. 85% of organizations report a cybercrime incident at one point or another – and it’s likely that at least a further 10% have been subject to cyber attacks but haven’t reported them.
As a general rule, any given company can expect to experience multiple cyber attacks over the course of its operation. And it’s likely that at least one of these attacks will result in a data breach.
“88% of UK businesses have been breached in 2018!”
The above number was reported by VMWare’s Carbon Black, and the only reason we know this is probably due to the GDPR regulations, today the numbers are higher.
The thing is that cybercrime pays. And it pays well. Trillions of dollars are siphoned to cybercriminals annually.
What’s more, because cybercriminals aren’t slowed by the rules and regulations which govern legitimate businesses, they can come up with new ways to get in faster than is possible to produce new security measures.
That isn’t to say that preventative measures aren’t worth taking. Things like:
- Training employees to prevent negligence and human error, and to understand the consequences of malpractice (34% of cyber-attacks are inside jobs).
- Conducting vulnerability assessments.
- Keeping software up to date.
- Investing in cybersecurity and monitoring measures.
All of these are a great start in keeping client data safe in most scenarios.
But, my friend tells me, her company did all of these things.
They were among the biggest web service providers in the world at that time. They could afford to invest in heavy duty cybersecurity, and they took that security very seriously. Yet still they succumbed to a cyber attack.
“Honestly,” she says, “I don’t know how a big, tech-focused company like that could have been so naïve. But they were.”
How should you respond to a data breach?
So what should Yahoo! have done?
According to the 2018 Ponemon Report, the most effective way to respond to data breaches is through a Cybersecurity Incident Response Plan (CSIRP).
A good CSIRP will:
- Identify the people authorized to make major decisions.
- Define the roles and responsibilities of each respondent.
- Outline the communication flow and establish a work plan, with all the organizational functions which need to be included.
A CSIRP helps companies to act swiftly, and decisively in the event of a data breach. The nature of any CSIRP will change according to the nature of the organization. But it will always tackle the following:
- Containing the breach – Finding how a breach happened is the first step towards containing it. Once you have worked out where the breach is coming from (and how the hackers are accessing your system), you can take steps to prevent the loss of further data. This could be as simple as deploying some patches and changing some passwords, or as complicated as taking the entire operation offline until the threat has been dealt with.
- Neutralizing the threat – How this is done depends a lot on the nature and origin of the threat. Sometimes, a bit of reformatting will do the trick. In case of a client data breach, you may need to blacklist certain addresses, or switch to a backup system.
- Assessing the damage – You’ve got to work out who is affected by the breach, and how. Without identifying each and every person whose data has been compromised, and determining the extent of the damage, the next step will be impossible.
- Notifying and reporting – If someone’s data has been stolen or misused in some way, they need to be told. As Yahoo! found out, trying to bury this kind of thing will result in the company losing its hard earned reputation. You’ll also want to check your legal obligations. Which authorities do you need to notify?
- Preventing the next attack – This is easier said than done, but lessons can be learned from any breach. These can be utilized to help secure the system against the next (inevitable) attack.
My friend shakes her head as she goes through my notes on CSIRP. “No,” she says, “I don’t think they did any of that. I know they didn’t investigate it – that was what really annoyed the customers.”
In fact, Yahoo! did launch an investigation into the breach – but only a full year after it had occurred, and even then only in a vain attempt to stem the flow of customers leaving.
“They think the attack came from China,” “she” said, “and they think it might have been the Chinese government.” She shrugs. “But nobody cared about where it came from. They were more interested in what the company had done about it. Which was basically nothing.”
What does a good data breach response look like?
Unlike Yahoo! online genealogy site MyHeritage had a spot-on response to their own data disaster.
In June 2018, MyHeritage announced that 92.3 million of its users’ email addresses and passwords had been hacked. They were quick with their announcement and made sure to keep users informed. Information about the breach was displayed prominently on their website, with updates given in real time.
Customers were given actionable directions to help them determine whether or not their information had been compromised. MyHeritage took customers through the ways in which they could secure their accounts, step by step.
Going further, the company immediately set up a 24 hour phone line response center, with a dedicated team to handle customer calls. Concerned customers could phone or email at any time, and have their questions answered by a MyHeritage employee.
Within 24 hours, the MyHeritage team had force-expired all passwords, and sent users instructions on how to set up new (safer) passwords.
More sensitive data (such as family and DNA data) had been stored on a separate, closed, and tightly secured system. This meant that it was saved from the breach. However, MyHeritage upgraded its authentication procedures for access to all MyHeritage services, just in case.
The MyHeritage breach had the potential to be one of the most shocking cyber attacks in recent years. Not only did MyHeritage have contact data for their customers – they also had their DNA.
However, rather than getting erased like Yahoo! MyHeritage demonstrated to their customers that they were honest, capable, and genuinely had their best interests at heart.
While they inevitably lost some customers, most people were impressed enough by their response to the crisis to stay on board.
Had Yahoo! been this efficient and transparent in their data-breach response, they may still be around today.
Conclusion: respond quickly, do what you can to prevent, and run CSIRP
It ended on a positive note for my friend. After a long job hunt (which she described as “Hellish”), she got a job as an accountant for an independent florist in Seattle. And she loves it. “I get to work from this back office which is just full of fresh flowers waiting to go in bouquets. It’s the best workplace ever.”
My friend and her fiance finally got married last summer, and they plan to start a family “when the time is right.” But she has absolutely no intention of ever touching a database again.
“When my new employer saw my old job on my resume they asked ‘Oh, would you like to help out with our emailing and social media and stuff?’ And I responded ‘No way. Never again. Not unless you’ve got the best cybersecurity in the world and then some!’”
All’s well that ends well for my friend, then.
But Yahoo! And other organizations who’ve failed to protect their data and respond appropriately to breaches paid dearly.
Your response to data breaches is an opportunity to shine. If a poor response can bring down a multi-million dollar operation like Yahoo!, it can easily do so for others.
A CSIRP into any email strategy is increasingly vital for modern companies. Prepare to hear the acronym ‘CSIRP’ a lot more in the future!