As more companies suffer breaches and leak private data online, it becomes harder for organizations to be transparent and establish trust with their customers. Recent incidents have shown that many experts underestimated the total impact of a data breach in terms of the actual number of users affected and the volume of data made public. Many companies take too long to notify all the relevant parties about a breach, in some cases waiting months or even years to alert the people and vendors involved. Post-breach responses tend to rely on poorly constructed websites that contain ambiguous lawyerspeak and little actionable information.
But enough of the doom and gloom — how about some positive points of action? Below are my own recommendations to help companies regain trust in the age of the data breach.
Honesty Is the Best Policy After a Data Breach
First, being transparent means being as open and honest as you can. Always tell the truth and don’t hide behind your lawyers. Sugarcoating a breach never works and can easily backfire, creating more negativity and diminishing trust.
Next, take ownership. If your IT department dropped the ball, say so. If your network was breached through a third party, be clear about that, too. If you haven’t segmented your networks properly, say that, and fix the problem as soon as possible.
While many companies may be reluctant to divulge exactly what happened, everyone makes mistakes. Admitting them and clearly explaining what happened can help breached organizations regain customer trust.
Strengthen Policies and Passwords
Take steps to strengthen your protective policies, products and people. Firing a scapegoat isn’t enough. Instead, invest money and other resources in your security infrastructure and give the right people sufficient authority to make progress with these improvements. Don’t just add window dressing or another firewall layer. If you’ve yet to suffer a breach, you might as well assume that you will soon.
Look at your user base’s password collection and educate them about authentication protocols, single sign-on (SSO), phishing and whaling attacks. Poor password choices are still the easiest way for fraudsters to enter an enterprise. All it takes is one highly placed employee with a weak password and it’s game over. I recently attended a Penn & Teller magic show that featured a segment that makes fun of poor password choices. It’s high time we fixed this problem.
Trust Takes Time
Finally, it’s crucial to realize that information security is a journey, not a destination. Put these practices in place and strive for continuous improvement, not just a one-time quick fix. Make sure you have management buy-in to gradually improve your security posture. Trust takes time, and these are just a few of the many methods to accumulate it.