2016 was a record year for data breaches, and this trend looks set to continue in the future, as 2017 has already witnessed its fair share of high-profile cyber-attacks. Organisations such InterContinental Hotels Group (IHG), Verifone, Gmail, Yahoo!, Washington State University, Verizon, Equifax, and Deloitte, to name a few, have all experienced a serious data breach so far this year.
Despite such high-profile attacks, top executives are still failing to learn from their mistakes, and their failure to initiate a fast response to such attacks will cause significant damage to their reputation, financial affairs, and of course, their customers.
What are the common mistakes executives make when dealing with a cyber-attack?
1. Waiting too long to notify customers
For every day that goes by following a data breach, the attackers have more opportunity to make use of the stolen data. Equifax, who suffered “one of the worst breaches ever” – affecting as many as 143 million customers – was heavily criticised after it took them nearly six weeks to disclose the breach. Similarly, the United States Securities and Exchange Commission (SEC), who experienced a serious data breach in 2016, took nearly a year to disclose the breach. While it is understandable why organisations prefer to withhold information until sufficient evidence has been gathered, leaving it too long to disclose a breach will not only erode public confidence, but will also delay the opportunity for customers to take the actions necessary to keep their data safe. As soon as the GDPR comes into effect, organisations must have an incident response plan in place, and will be required to notify the relevant supervisory authority within 72 hours of the breach taking place.
2. Failing to put their customers first
In 2016, Yahoo suffered a data breach where 500 million accounts stolen. To limit the damage caused by the breach, they could have reset all user passwords. However, they chose not to do this as they didn’t want to force users to create new passwords, as this may have led to a loss of business. Equifax offered to freeze customers reports for a fee, to protect their data. While the fee was eventually waived, the damage had already been done to their reputation. Of course, dealing with a data breach can be expensive, but organisations have an obligation to protect their customers.
3. Failing to be transparent
As I’m sure you can imagine, when a breach occurs, organisations are not too keen to tell the truth about how/when the breach occurred. However, a lack of transparency leads customers to believe that the organisation is withholding information, even if they are not. To earn the trust of their customers, it is paramount that they are honest, and provide clear, concise and frequent updates about the breach in question.
4. Failing to accept responsibility
In addition to an unwillingness to be truthful about how/when a breach occurred, executives have a tendency to avoid taking responsibility for the breach. They instead try to pass the blame onto specific employees. While it may be true that breaches are caused by the direct actions of specific employees, executives still must ensure that breaches occur as infrequently as possible, that an Incident Response Plan is already in place, and that incidents are reported promptly. A recent study by strozfriedberg.com, found that only 45% of senior leaders believe they are responsible for protecting their companies against cyber attacks.
5. Failing to identify how their critical data was accessed following a breach
According to a recent survey by Lepide 60% of organisations still don’t know who has access to their critical data, and how that data is being accessed. It is largely due to a lack of awareness about insider threats – which accounts for approximately 43% of data breaches. Organisations need to utilise an auditing and monitoring solution to carry out a thorough forensic investigation into a data breach. This enables them to produce a comprehensive set of reports detailing what happened, why it happened, by whom, where and when.