As more companies suffer breaches and leak private data online, it becomes harder for organizations to be transparent and establish trust with their customers. Recent incidents have shown that many experts underestimated the total impact of a data breach in terms of the actual number of users affected and the volume of data made public. Many companies take too long to notify all the relevant parties about a breach, in some cases waiting months or even years to alert the people and vendors involved. Post-breach responses tend to rely on poorly constructed websites that contain ambiguous lawyerspeak and little actionable information.

But enough of the doom and gloom — how about some positive points of action? Below are my own recommendations to help companies regain trust in the age of the data breach.

Honesty Is the Best Policy After a Data Breach

First, being transparent means being as open and honest as you can. Always tell the truth and don’t hide behind your lawyers. Sugarcoating a breach never works and can easily backfire, creating more negativity and diminishing trust.

Next, take ownership. If your IT department dropped the ball, say so. If your network was breached through a third party, be clear about that, too. If you haven’t segmented your networks properly, say that, and fix the problem as soon as possible.

While many companies may be reluctant to divulge exactly what happened, everyone makes mistakes. Admitting them and clearly explaining what happened can help breached organizations regain customer trust.

Listen to the podcast: Understanding the Media Hacks of 2017

Strengthen Policies and Passwords

Take steps to strengthen your protective policies, products and people. Firing a scapegoat isn’t enough. Instead, invest money and other resources in your security infrastructure and give the right people sufficient authority to make progress with these improvements. Don’t just add window dressing or another firewall layer. If you’ve yet to suffer a breach, you might as well assume that you will soon.

Look at your user base’s password collection and educate them about authentication protocols, single sign-on (SSO), phishing and whaling attacks. Poor password choices are still the easiest way for fraudsters to enter an enterprise. All it takes is one highly placed employee with a weak password and it’s game over. I recently attended a Penn & Teller magic show that featured a segment that makes fun of poor password choices. It’s high time we fixed this problem.

Trust Takes Time

Finally, it’s crucial to realize that information security is a journey, not a destination. Put these practices in place and strive for continuous improvement, not just a one-time quick fix. Make sure you have management buy-in to gradually improve your security posture. Trust takes time, and these are just a few of the many methods to accumulate it.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read