Crisis Communications and Data Breaches: How to Get It Right

Makovsky

Author’s note: This interview has been edited for clarity and length.

In late November, Makovsky hosted an interactive panel event called the “The Breach Plan: How to Build Your Cybersecurity A-Team,”, featuring panelists from Anchin, Cole Schotz, Redpoint Cybersecurity, and the U.S. Department of Justice.

The panel addressed some of the legal, technical, accounting and public relations issues that often arise before, during, and after a data breach has occurred, and the various professionals a business owner will need to work with to properly resolve those issues.

The event took place just days before Marriott’s Starwood line of hotels announced that hackers accessed the information of approximately 500 million customers, compromising their mailing addresses, passport information, and credit-card numbers.

Marriott joined a long list of well-known brands affected by data breaches in 2018: Orbitz, British Airways, T-Mobile, Quora, Facebook, and Google+ — just to name a few.

But big brands aren’t the only victims of security breaches. According to Verizon’s 2018 Data Breach Investigations Report, 58% of data breach victims are categorized as small businesses. How should you respond if your business becomes a victim of a cyberattack?

I sat down with panelists John Curran, CEO and Co-CISO of Redpoint Cybersecurity, to better understand the causes behind data breaches, how and why businesses should prioritize cybersecurity prevention and readiness, and how to effectively respond to, and communicate about, a breach.

.  .  .  .  .  .

Malaika Nicholas: We commonly assume that if a company experiences a data breach, then they’ve been “hacked” by a malicious third-party. Are hackers the only causes of data breaches?

John Curran: No, they’re not. Some of the other causes that you run into can be quite serious, such as insider misuse or negligence. That’s a big one.

Disgruntled employees who want to get back at somebody because they were fired may steal business-sensitive information or intellectual property. So, hackers are not the only threats out there. And it’s important to note that, with these kinds of cases, the stakes can be quite high, since employees have access and authorization and frequently are already in possession of certain kinds of information about the firm, such as corporate strategy or relationships that they have with key customers.

None of this is meant to detract from the need to guard against attacks from the outside. Threats from malicious outsiders are real, and they have impacted many of the firms that we have worked with. And many of them have been hit more than once. So the threat is very, very real.

Malaika Nicholas: Given that businesses of all sizes are primary targets for data breaches, how can business owners and business leaders communicate about the importance of cybersecurity to their staff members who might not think it’s a high priority?

John Curran: This is a really important question. It is probably central to everything that we do every day in terms of advising and educating.

The first thing I’ll say is that buy-in has to start at the top. It’s easier said than done because people are very busy and they have other priorities and, frankly, they often don’t understand the risks, which can be quite technical. It can be scary to them, and in many cases, significant changes to information security risk management are required, which in turn often require an investment of time and capital.  

Taking what we refer to in the industry as an “assumed breach” mentality is also essential. This requires acceptance of the fact that it’s not a matter of “if,” but, “when” in terms of a data breach directly impacting your company and data belonging to your clients.  And it requires that executives and management at every company (large or small) periodically bring in qualified, third parties, 

to perform pre-breach readiness reviews, to test your security controls and key systems (a service that’s called “penetration testing”), and then remediate the vulnerabilities in your network before those vulnerabilities can be exploited by bad actors.

Information security risk management cannot be a binary thing where you “fix it” and walk away. It must become part of your company’s DNA, just as other forms of risk management – such as operational or financial risk management – are processes rather than one-time events.

Every company will eventually be breached, and based on public data and what we see regularly in the market most of them have already been breached. But if executives and other stakeholders can accept this fact – this “new reality” in which we live and operate – and become proactive about managing the risks, then they can minimize the frequency and/or impact of breach events. There is a common expression: “You don’t need to out- run the bear, just the man running beside you.” This notion applies to the world of information security in many cases; there is value in becoming an inconvenient target.

Malaika Nicholas: When it comes to cybersecurity, a lot of advice out there is for businesses to have a cybersecurity response plan. What is it, and does every business need to have one in place?

John Curran: Every firm needs to have an actionable, tailored response plan in place. Far too often we see firms without any real plan or, what is perhaps even more dangerous because it is deceptively useless, a “cookie-cutter” plan that sits on the shelf.

It’s important to emphasize that we commonly encounter misconceptions around words like “plans” and “policy.” You’ll see a firm bring in someone to advise them on that, which is great, but then it tends to be a one-and-done or a “lLet’s just put that plan on the shelf. Now it’s there, we’re good to go, we’ll flip it open once something happens.”

And of course, that’s not what you want to be doing. So when we use the term “plan,”, I would emphasize that it’s important to train against and periodically update actionable procedures, and to do so at all levels of the company – especially among the stakeholders and others who will become involved in the event of data loss, or ransomware, or other forms of business interruption. At a bare minimum, these parties must include: your key executives and IT staff, an experienced breach litigation attorney, your cyber insurance carrier, and an outside incident response and forensics firm.  This last party, by the way, is definitely not to be confused with your IT staff as the requisite skill sets vary considerably in most cases.

Malaika Nicholas: What can consumers do to protect their personal information immediately following a breach?

John Curran: There are a number of things that they can and should do. If you’re dealing with the immediate aftermath, one of those things is to put a freeze on your credit by contacting the credit bureaus individually and telling them that you want to freeze your credit.

We also help our clients with securing their home offices, their family offices, and their personal environments, which include things like laptops, cell phones, wireless access points, personal file shares, personal email accounts, etc. When you think about how you can lose your data, and the ways that can happen, often that starts with the compromise of a personal network or device. Often these precautions are not taken, and they are critical as far as what you can do in your day-to-day to protect your data.

Malaika Nicholas: Are there any Do’s and Don’ts that you’d recommend for communicating about a breach after the fact to consumers, employees, or investors?

John Curran: It’s certainly context-specific and it can be time-consuming and complicated to determine things like “Was data taken?” or “Which data specifically was compromised?” or “Are the attackers still in your network?” We advise that you work proactively and closely with your Breach Coach (a breach litigation attorney), your PR firm, and the forensics firm that will be called in to handle the breach when it occurs.

Your PR firm can help you to manage communications to key stakeholders and to the public if that’s required. And your breach attorney is essential to managing all stages of incident response and to ensuring that sensitive communications are privileged.

.  .  .  .  .  .

Is your business prepared to respond to a data breach? Follow-up with us on Twitter with your questions or comments!