You've been hacked: Should you tell the world?
Topics
Dealing with the public when a security breach occurs is as important as sealing the system and investigating potential losses. Hoping to be lucky and not be noticed when your company suffers a major security breach is not a realistic policy. News organizations and software and service vendors have a vested interest in exploiting your pain. For instance, security software vendors Trend Micro and Pelican Security both took advantage of Microsoft's misfortune and issued press releases claiming their products could have stopped the problem.
Every time you respond to queries regarding your company's condition or actions, whether on the phone or in a press release, you're walking along a precipice. Security experts will take whatever hack specifics you offer and extrapolate to fill in missing details. That means later additional information must jibe with earlier statements. Attempts at spin control just make things worse. The complexity and intricate nature of cyber-security virtually guarantees that your company will get caught.
A kinder, gentler approach
While you can't control the media, pundits, competitors, and many others who may try to profit from your misery, you can control your own public disclosures and possibly come out much better than you thought. Keep in mind the following guidelines to deal not only with breach information control, but also company and customer damage control.
- Funnel all information through one spokesperson. Periodic leaks of breach information, offered without context and by various spokespersons, engender conflicting messages, which in turn encourage experts and pundits to guess at the what you're not telling them, often worsening a bad situation.
- Install fixes and close all breaches before going public with the exploit.
- Wait for complete technical and loss information analysis before developing a truthful but encouraging response.
- Identify possible conflicts or inconsistencies in your response and address them before going public.
- Send drafts of your public statements to senior management, the chief information officer, chief security officer, line management, and involved security/IT staff for review.
- Include a positive description of your most effective online protection in your public response. If your security or IT staff failed to take adequate measures for protection, admit the mistake.
- Don't downplay the breach's importance or emphasize how quickly your firm patched the hole. A highly visible financial institution recently did just that and it backfired; security discussion groups quickly alerted the public that the fix wasn't that simple and that other huge holes were still open.
- Don't lie. Truthful responses are easier to defend.
- Use the attention brought on by the breach to emphasize your focus on security and to note the additional steps you've taken for protection.
Dr. Goslar is principal analyst and founder of E-PHD, LLC - a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
