Breach disclosure has recently been in the news, and not necessarily in a good way. Missouri Governor Mike Parson’s press conference on a newspaper’s reporting of a security vulnerability on the Department of Elementary and Secondary Education’s website created a social media backlash. He blamed the reporter who discovered publicly accessible sensitive data for the exposure rather than a faulty website implementation.
This incident reminded me of a lesson I learned years ago from several people who worked in communication regarding Microsoft security issues. A Microsoft security incident would be in the news with all sorts of details, but the Microsoft security communications team would be annoyingly and frustratingly silent. I’d take this as a sign that they didn’t understand the security issue at hand, but later I would find out that they were either waiting for follow-up resolution or some fact that was still being investigated.
Being first to break the news about a security event often means you will get something wrong, or worse yet, your spokespeople do not fully understand the situation and give wrong information that often cannot be easily remedied. In this 24/7 news world, being too communicative too soon in the process can often bring unnecessary scrutiny to your security issue. You don’t want to be first to communicate, nor the last. There is always a middle ground of communication that should be followed in breach notifications.
It’s wise to have a plan in place for how you will respond to a breach. Here’s how to build that plan.
Reach out to your cyber insurance carriers before a breach occurs to learn what process your insurers would want you to follow should an incident occur. They should be one of the first you contact once a breach is suspected. They may need to bring in investigators to understand better the nature of the breach. The insurance carrier may also have communication experts who will either assist in the communication process or be your spokespersons for the event.
Identify who will represent your firm when a breach occurs. Have a template drafted of the communication that you want presented. Ensure that communication regarding what your customers and clients should expect after a breach occurs is crisp and clear. Follow the guidance from your cyber insurance provider and attorneys regarding communication on client-facing websites and public-relations notifications. Once a breach notification occurs, monitor for follow-up communication that may be needed as the situation changes.
If you work for a government agency, you’ll follow NIST guidelines for breach disclosure and notification. Private businesses need to establish similar processes. In the United States, ransomware has hit so hard that lawmakers are starting to take action to ensure better communication and investigation. The recently introduced Senate Bill 2666 would require a strict 24-hour limit for reporting ransomware payments for businesses with more than 50 employees, specifically: “not later than 24 hours after the discovery of a ransomware operation that compromises, is reasonably likely to compromise, or otherwise materially affects the performance of a critical function by a federal agency or covered entity, the federal agency or covered entity that discovered the ransomware operation shall submit a ransomware notification to the system.” Be prepared to have a much shorter notification process.
Another process you should review ahead of time is a vulnerability disclosure program. As more of your firm’s information is placed on internet-facing web properties, you often don’t have the resources to fully vet and identify all security vulnerabilities that may have been inadvertently deployed.
Larger firms have bug bounty programs that pay vulnerability researchers for their effort in finding issues, but most of us do not have such programs. Other firms rely on third-party bug bounty programs such as Zero Day Initiative that coordinate between the security researcher and your firm.
All firms that have client-facing websites or properties can and should have a process to allow for vulnerability disclosures from the public. The email alias of security@ has typically been reserved to report security issues, as outlined in RFC 2142. Ensure that you have an established process of disclosure.
Any time you have an external facing website that if breached would have a significant impact to your firm, consider investing in having either someone on staff or hiring a firm to perform a penetration test of your environment. Firms like Black Hills Information Security have long used penetration testing teams, or red teams, to solidify their defenses. Purple teaming combines methodologies of both attack and defense to gain more knowledge of network weaknesses and how to resolve them.
Bottom line, review your processes for handling security issues and breaches. Ensure that you have established processes in place to handle a breach. Know that it is not if a breach will occur but when.