Skip to main content

Judge not the breach, but the response

by Paul Roberts on Friday February 10, 2017

Contact Us
Free Demo

Two incidents from the week’s news show how breach response – not breaches themselves – are becoming the yardstick by which companies are measured.

Historically, companies have worked hard to avoid data breaches – fearful of the bad publicity that would almost certainly accompany them. But, increasingly, the fact of a breach matters less than how a company responds to it.

Two articles from this week’s news underscore the different lens through which the media is beginning to evaluate companies that have experienced security incidents. The first concerns the firm Logic Supply, a maker of industrial computers based in the U.S. As noted by the website The Register, Logic Supply reset all its customer passwords following a suspected breach on February 6. In a message to customers, the firm said it acted almost immediately upon discovering unauthorized access to its website that may have exposed some customer information. The window of compromise – at least by Logic Supply’s account – was small and the company said that customer credit card information was not exposed.

Embarrassing? Yes. But The Register gives Logic Supply high marks for being up front in its communications with its customers and for acting promptly to address the security incident. “Logic Supply ought… to be credited for getting on top of a security problem within days,” the article reads.

Contrast that with another article, on Wednesday, about the firm Sports Direct, a UK sports retailer. That article, also in The Register, notes that the firm was the victim of an intrusion in September that compromised the company’s staff portal. Still, employees of the company had not been informed of a breach, which Sports Direct learned of in December, The Register claims.

Sports Direct filed an incident report with the Information Commissioner's Office after it became aware that its workforce's information had been compromised, but did not report the breach to its staff.

Then, of course, there is the case of internet search giant Yahoo, whose serial breaches affected more than a billion accounts but went undetected for years. The delay in reporting those incidents raised questions about the company’s internal controls as well as its candor. The news of the breaches put the brakes on Yahoo’s planned sale to Verizon, with rumors that Verizon would seek to lower the cost of the acquisition.

The moral? The media, the market, your employees and customers are more willing to accept that breaches happen. The sheer number of incidents has made that shift inevitable. However, they do not look charitably on companies that are caught hiding information – or even appearing to do so.

There’s good reason for that. Employees and customers who do not know that their information has been exposed can’t take steps to protect themselves. Similarly: companies that stick their head in the sand – by definition – are deciding not to take needed steps to secure their network, data and systems. That’s because many of those steps (like mandatory account resets) will automatically signal that a breach or other incident has taken place.

Finally, a delay in recognizing an incident can hinder efforts to understand and clean up from it. Users affected by the Yahoo breach were likely already victimized by it by the time Yahoo disclosed the incident. Any passwords or other data they could think to protect would have already been accessed and siphoned to systems controlled by the attackers.

“They must understand that the damage has been done,” Jeremiah Grossman of the firm SentinelOne said of the Yahoo breach. “Whatever data the threat actor wanted to steal is now gone - and there is no going back.”

Companies, also, need to face up to incidents as soon as they recognize them. Only then can they have a chance of understanding the scope of a breach and taking steps to curtail it.

You’ve been warned.

Tags:  Data Breaches

Recommended Resources

The Definitive Guide to DLP

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives

The Definitive Guide to Data Classification

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business