Light Dark
October 18, 2017 By David Strom 2 min read
Incident Response
Application Security
Data Protection

As more companies suffer breaches and leak private data online, it becomes harder for organizations to be transparent and establish trust with their customers. Recent incidents have shown that many experts underestimated the total impact of a data breach in terms of the actual number of users affected and the volume of data made public. Many companies take too long to notify all the relevant parties about a breach, in some cases waiting months or even years to alert the people and vendors involved. Post-breach responses tend to rely on poorly constructed websites that contain ambiguous lawyerspeak and little actionable information.

But enough of the doom and gloom — how about some positive points of action? Below are my own recommendations to help companies regain trust in the age of the data breach.

Honesty Is the Best Policy After a Data Breach

First, being transparent means being as open and honest as you can. Always tell the truth and don’t hide behind your lawyers. Sugarcoating a breach never works and can easily backfire, creating more negativity and diminishing trust.

Next, take ownership. If your IT department dropped the ball, say so. If your network was breached through a third party, be clear about that, too. If you haven’t segmented your networks properly, say that, and fix the problem as soon as possible.

While many companies may be reluctant to divulge exactly what happened, everyone makes mistakes. Admitting them and clearly explaining what happened can help breached organizations regain customer trust.

Listen to the podcast: Understanding the Media Hacks of 2017

Strengthen Policies and Passwords

Take steps to strengthen your protective policies, products and people. Firing a scapegoat isn’t enough. Instead, invest money and other resources in your security infrastructure and give the right people sufficient authority to make progress with these improvements. Don’t just add window dressing or another firewall layer. If you’ve yet to suffer a breach, you might as well assume that you will soon.

Look at your user base’s password collection and educate them about authentication protocols, single sign-on (SSO), phishing and whaling attacks. Poor password choices are still the easiest way for fraudsters to enter an enterprise. All it takes is one highly placed employee with a weak password and it’s game over. I recently attended a Penn & Teller magic show that featured a segment that makes fun of poor password choices. It’s high time we fixed this problem.

Related: 2017 Ponemon Institute Cost of a Data Breach Study

Trust Takes Time

Finally, it’s crucial to realize that information security is a journey, not a destination. Put these practices in place and strive for continuous improvement, not just a one-time quick fix. Make sure you have management buy-in to gradually improve your security posture. Trust takes time, and these are just a few of the many methods to accumulate it.

 |  |  |  |  | 
David Strom
Security Evangelist

More from Incident Response
July 15, 2024

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

May 14, 2024

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature