You had backups to your backups, plans in place, and security that you had faith in. But it still happened. Your systems were breached and customer data was compromised. Now what?
Take a deep breath.
Unfortunately you cannot re-write the past. But you can take steps to restore your reputation and move forward as an organization. A recent study stated that while investors are hesitant to invest in companies who have experienced multiple security breaches, they’re more concerned with how a company handles the leak. In fact, 66% of investors were more concerned with crisis management, than the 25% who were primarily focused on the attack itself. How you manage a security breach not only impacts your relationship with investors, but also gives you the ability to shape your organization as a reliable entity in the face of adversity.
If you’ve been breached, now is the time to take steps to demonstrate the trustworthiness of your organization. First things first – act on the plan you have in place. The most important thing you can do is work to rectify the situation, ensuring the data of your clients is secure. Then take a step back. Often when you’re looking at a big problem too closely it’s hard to see the big picture. That’s why it’s important to consider the lessons learned from other organizations who’ve experienced a breach.
We’ve compiled three top lessons to learn based on breaches that have impacted other organizations. Hopefully these takeaways will help other companies manage a security breach admirably.
Communication is key
It’s not easy to stomach a security breach. With heightened emotions from both the organization and it’s clients, it’s seems nearly impossible for both sides to seek common ground – except for the fact that they both wish the breach hadn’t occurred. What is most needed is communication. After a major breach that saw the personal information of 24 million customers leaked, Zappos, an American online shoe and clothing company, knew they owed their customers an explanation. The company sent out an email to customers, outlining what had happened, what was accessed, and alerted everyone to security precautions they should take – including changing their passwords to any accounts that may have used their Zappos password. The company even set up a separate email address to deal solely with questions surrounding password changes and the breach. While this email didn’t solve the issue of the breach it gave an open line of communication between the organization and their customers. Transparency is valued by customers, their data is important and they need to know you’re addressing the issue and not just sweeping the incident under the rug.
We’ve discussed the Canadian student loan data breach in past posts on our blog. The breach received widespread attention not just for the amount of data lost, but also for the time it took for Human Resources and Skills Development Canada (HRSDC) to report the situation. The data went missing in November, and no one was alerted until January. Those impacted by the breach were outraged that their data could have possibly been in the hands of an authorized person for months. And this isn’t the first case of a breach not being quickly enough. Sony received flack – and a lawsuit – after it failed to disclose news a large data breach promptly to it’s customers.
When a breach happens there are a lot of moving pieces that need to be put into place to ensure that the situation is rectified as quickly and efficiently as possible. These steps cannot be taken at the expense of the customer. If their information has been breached, they need to know.
Make the required changes
This may seem like a no-brainer, but looking at examples of major breaches in the businesses pages demonstrates that it’s not as common as you would think. After storing all of their credit card data in plain text, Wyndham Hotels had their systems breached not once, not twice, but three times in two years. Over 600,000 credit card numbers were accessed in this period, with millions of dollars of fraud reported. The breach resulted in the Federal Trade Commission filing a complaint against Wyndham Worldwide and three subsidiaries in an effort to ensure that companies are taking the correct steps to protecting consumer data.
You know the old saying – if something’s not broke, don’t fix it? Well in this case something was very broken – and the issue remained unaddressed for far too long. Routinely test your security processes, and consider external penetration testing if you’re worried about attacks from the outside.
What lessons have you learned from major security breaches? Are you implementing these takeaways in your organization? Let us know in the comments below.