Data Breach? Don’t Panic—Just Remember These 4 Tips
In show business, even bad publicity is still publicity, so celebrities could generally care less about it. After all, visibility is the lifeblood of an actor or singer or sports player, all of whom want nothing more than to stay in the spotlight. However, this is not the goal of for-profit businesses who view publicity as an indicator of their positive traits. This preference for good news is the reason why companies are normally secretive, often hiring corporate communication experts to relay difficult message to the public, their stockholders, and even the government. They spend major cash on legislative lobbyists to protect their business interests in a long run and keep their reputation clean. But as well know, all they need is one good data breach to send all these efforts to hell in a handbasket.
Endless companies have already experienced the pains of a security breach, including data leaks and lost digital assets. Sure, they try their best to perform damage control before having to admit any vulnerabilities; however, the public tends to find out regardless of their efforts. All cyber issues aside, for-profit companies have two main objectives: expand business and keep profits rolling in. Any other company goals are just gravy. But the European Union’s GDPR requirements have changed all of that, essentially redefining the responsibilities of businesses to their customers. With this in mind, how should companies experiencing a data breach now react to news that their computing infrastructure was infiltrated by an unauthorized party?
Here are some thoughts:
Announce it within the first 72 hours after the discovery!
Transparency is important, no matter how awkward and uncomfortable it may be at times. It is the source of customer trust. Even companies with the very best products and services on the market will find themselves alone in the cold if they lose consumer trust. The first 72-hours after a breach is the perfect time to pin down the primary details of the crime and inform stakeholders, along with the public, that the company has been compromised. After all, it is now the law. GDPR makes it quite clear that this amount of time is the cut off for notification, as anything later will incur a massive fine from the EU for policy violation.
Focus on the details and the details and the details!
Stakeholders should never be left in the dark after a data breach. Just notifying them while still withholding vital information for decision-making is cutting-off potential future profitable transactions with the customers, suppliers, and partners. Notifications about a data breach should be clear, concise, and readily understandable by those not associated with the tech world. Not all stakeholders will have the same degree of tech knowledge, which means the message must be easy to understand and interpret. The worst kind of press release or announcement is one overrun with industry jargon, all of which can be easily misinterpreted and misquoted.
Practice customer care!
Just as the GDPR has mandated, the front, back, and center of any for-profit business must be the customer. As the bread and butter of an enterprise, customer data should be protected, secured, and stored in a private way. If a data breach occurs, a custom message to the customer should be immediately sent out outlining the steps being taken to rectify the problem. This effort creates an atmosphere of transparency and lets the consumer know the responsible entity is assuming the right position. While it’s true many breaches are not the fault of the company, they must still take responsibility for the vulnerability which likely caused it. Without an effective and efficient outgoing message, all fingers will point to the company instead of the attackers.
Rebuild reputation and compensate victims ASAP!
Don’t wait for a government law enforcement agency to force you into paying damages to victims—instead, be proactive. Assess the cost of the damage and pay compensation to the victims without hesitation. If this is done in a timely manner, it is still possible for the company to continue its operations with little interruption. But if it’s not, customer trust will begin to wane and suspicion about the details of the data breach will lead to ruin.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.