As major vulnerabilities gain public attention, being able to craft a public response is no longer a distant thought — it’s an essential part of any incident response program. Business is now and forever entwined with the servers, systems and devices we use on a daily basis. Our ability to patch new vulnerabilities affects not only our own security, but that of every partner and customer we interact with. Like the latest strain of the flu, each new vulnerability requires a new set of responses and controls to limit its impact, and the people who interact with your business want to know you’re taking appropriate steps.
In my role as Akamai’s senior global security advocate, I’ve been involved with writing and publishing many of these incident response notifications. With so many high-profile data breaches making headlines, it’s becoming an increasingly important part of the regular incident response process. Gone are the days when only IT professionals and technicians were interested in the latest security vulnerabilities. Today, these incidents show up on the nightly news, and regular consumers who trust their data to various organizations and service providers are taking notice.
Addressing Known Vulnerabilities in the Public Eye
Why would your customers or partners want to know that you’re reacting to a vulnerability? Since you have their data, their systems are connected to yours, and a hole in your defenses may enable an attacker to access their data. In recent years, many businesses have been compromised due to vulnerabilities in systems attached to the organization’s network, such as air conditioning or printing systems, which is why third-party security is top of mind for auditors. If you haven’t received an audit questionnaire from a customer or partner business yet, you likely soon will.
Stories of large companies losing credit card data and other sensitive customer information have made headlines so frequently that the general public has largely ceased to pay attention. These breaches have, unfortunately, become part of the fabric of daily life. Widespread attacks such as WannaCry and NotPetya, however, are still fresh enough in the public consciousness that people still pay attention to this type of threat. When a company is breached due to a known vulnerability, customers and partners naturally want to know why it hadn’t been patched already.
Composing Your Incident Response Notification
It’s not very difficult to form a public incident notification for a new vulnerability, especially compared to the effort required to mitigate potential threats. More than anything, customers and partners want to know that you’re aware of the problem and taking appropriate steps. No one likes to hear that the company he or she relies on to protect data was caught flat-footed when an attack struck.
The good news is that the majority of the work required to create a public incident response message is covered by steps your organization should already be taking. The major difference is that your public message will need to be focused on the information your partners and customers absolutely need to know and nothing more. You want your customers to know that you understand the vulnerability and how it affects the systems you’re responsible for, but giving too much information invites questions you have neither the time nor the resources to answer during a crisis. If it’s really important to the customer, you can have that conversation once the immediate emergency has passed.
Any public incident response message should have three basic sections: a high-level description of the vulnerability, a summary of how it affects your systems and your response strategy. It’s good to open with a single paragraph that encapsulates all three of these points simultaneously at the highest level possible.
Providing a brief explanation of a new vulnerability is important because it shows that your team understands the problem well enough to summarize the important details quickly. It takes mastery of a subject to boil it down to the bare essentials, which your notification should reflect.
Keep It Simple
The next step — defining how the vulnerability affects your systems and how you’re responding — is the most important part of the process. It’s also the step at which organizations are most likely to provide too much information. It’s crucial to be as honest and truthful as possible without divulging more details than necessary. Explain to your audience how the vulnerability affects your organization at the highest level possible without sounding like you’re throwing up your hands.
By necessity, what you expose to the public is only a small fraction of the total information your team will collect internally. There’s no need to list every server and system that might be exposed. In fact, your customers don’t even necessarily want to know those details. They just want to know the big picture of how your organization is affected and how you’re keeping their data safe.
This message should come from a senior member of either the security or IT department, but that will vary by organization. It’s important to involve senior management and other teams, such as legal and PR, in the messaging since it will be public. Your customers can tell the difference between a blog post crafted by a security professional and one written by a lawyer.
Stay Out of the Headlines
If everything comes together, a good public incident response message will be short, with just enough detail to let customers know that the organization takes the threat seriously and has taken appropriate steps.
Being open and upfront about your response makes your customers and partners feel more comfortable, proves that you’re competent and improves your company’s security reputation immeasurably. On the flip side, an erroneous or dishonest response notification can harm your reputation even more. Tell your customers what they need to know and let your incident response team do the work of investigating the vulnerability behind the scenes. That way, your organization can bolster its defenses and close security gaps before the next headline-grabbing security breach hits.