How (not) to respond to a data breach

With the number of data breaches still increasing, all organisations should be making plans for their response when, not if, it happens to them. At the FIRST conference, Jeff Kouns of Risk Based Security suggested learning from examples where the organisation’s response, or lack of it, had made the consequences of a breach much worse, both for the organisation and its customers.

The first lesson is to detect breaches quickly. This seems obvious, but the average length of time to discover a breach is still many months: one US financial institution took three and a half years to detect unauthorised access to its customer files. Not only does this delay give attackers ample opportunity to do lasting harm, but by the time the breach is discovered the organisation is unlikely to still have the information needed to work out what happened and how far the impact extended.

And when a breach is discovered, you do need to find out how it happened and fix the root cause. Failure to do so results in, at best, a steady trickle of increasingly bad news as new consequences are discovered. At worst you could miss the opportunity to fix a vulnerability when it exposed eighty-eight usernames and passwords, only to have it later exploited to access the personal data of more than two million people. Repeated data breaches look particularly bad.

Communication around an incident makes a big difference to how well or badly it turns out. Although we seem to be slowly understanding that it’s not a good idea to respond to vulnerability reports with legal threats, that seems still to be a depressingly common response to reports of security breaches. If you shoot the first messenger, the next person to find the vulnerability might be more willing to exploit it to cause real harm. When a breach happens, those affected will want to know what they can do, so don’t announce that you are turning off your telephone system because it can’t handle the load. And if you’re a regulated organisation (and under the General Data Protection Regulation we all will be from May 2018) talk to your regulator: they’re likely to be less sympathetic if they learn of your breach from someone else.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *