Data breaches aren’t easy to deal with, particularly if you are of the opinion that companies are people, too
Having seen, been part of, and lent a shoulder to many a breach, here are nine of the common ways that companies tend to respond to breaches.
A delayed response is when a breach has occurred, and the company is informed a long time after the fact, usually when the data appears on a dark web sharing site. The company sometimes informed by law enforcement, or by reading about it on Brian Krebs’ blog.
Complicated response (traumatic or prolonged)
A complicated breach becomes severe with time and can impact the entire company. This can be the case when regulators step in to look at a breach. Were you PCI DSS compliant? Well not anymore. Did you have European citizen data? Well say hello to my little GDPR friend.
Disenfranchised breaches are where the company experiences a loss, but others do not acknowledge the importance or impact. For example, an intellectual property breach that allows a competitor to get ahead is felt by the company, but elicits little, if any sympathy from customers.
A cumulative breach is when multiple breaches or incidents are experienced, often within a short period of time. For example, getting locked out of your IoT devices accounts while records are being exfiltrated out of the mainframe during a DDoS attack.
A cumulative breach can be particularly stressful because a company doesn’t have time to properly respond to one incident stating how they ‘take security seriously’ before experiencing the next.
Sometimes a company responds to a breach in extreme and hostile ways. In a manner befitting a toddler, the company may resort to blaming a partner or any other third-party company.
On occasion, the finger of blame is pointed towards an employee or contractor for not patching a system. Or, in some cases, the company will want to set an example and therefore unceremoniously fires the CISO.
Also known as “keep this between us”, an inhibited response is a conscious decision by a company to keep details of a breach limited to a very small group.
Problems can occur if customers or regulators get wind of it and can cause bigger issues down the road. By then, the only viable option for companies is to shred the documents, wipe the hard drives, and research countries with non-extradition treaties.
A collective breach is felt by a wider group, and the impact is shared. It can be a useful tactic in bringing all people on the same side to put their differences aside.
When everyone is forced to change their passwords after a breach, it gives common ground for them to share the pain.
A favourite of social media giants, absent response is when a company doesn’t acknowledge or show signs of any response. This can be as a result of shock, denial, or simply passing everything onto business as usual.
It’s important to note that in some instances, just because you can’t see the signs of a response, it doesn’t necessarily mean that a company isn’t taking responsive actions.
Or it could just mean they don’t care… it can be hard to tell.
Remember all those posters telling you ‘it’s not a matter of if, but when’ – well, that can have a positive effect as companies can go into anticipatory mode, expecting a breach and preparing accordingly. It doesn’t lessen the sting of a breach but does allow you to have plans in place to respond and recover.
With data breaches now being viewed by many as an inevitability, the key to surviving one is having a good plan in place and figuring out what response the company is capable of giving. If it’s looking underwhelming – or worse, uncertain – it may be time to put a team in place to consider what your company’s anticipatory response would be.
About the Author
Javvad Malik is a London-based IT Security professional. Better known as an active blogger, event speaker and industry commentator who is possibly best known as one of the industry’s most prolific video bloggers with his signature fresh and light-hearted perspective on security. Prior to joining AlienVault, Javvad was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning.