We can generally gauge the level of preparation and understanding a company has about their own cyber security by the way they respond externally to a cyber incident. There have been some notable examples over the years where cyber security professionals have had to put palm to face on some of the media responses placed into the global media.
Talktalk Breach 2015
During the Talktalk breach in 2015, a series of notices followed by personal interviews with the CEO Dido Harding, seemed to make the situation more confused rather than helping customers.
In one such interview, CEO Dido Harding claimed that the company had been the victim of a “Sequential Attack”. Having a CEO present on behalf of the company in a scenario like this, is always likely to expose a lack of understanding rather than to support your case.
The penalty notice issued by the ICO fined Talktalk £400K out of a maximum possible of £500K. In the notice, the ICO were very clear on the failings of Talktalk to address basic cyber security issues. Talktalk didn’t even know that the breached website was still accessible externally and the site had not been patched for three years.
Brand and Reputation
Most companies however are not in the Talktalk camp and actually have a brand to protect. This poses the average company with a dilemma.
How do we admit we have been successfully attacked without looking like muppets?
Many companies focus on the wrong type of communication. They look to sell themselves within the incident, rather than taking one on the chin and then getting up off the canvas professionally.
A beautiful example of this was in the Equifax response to their breach, which rambled on about how great a company they were. An effective cyber incident media response will actually enhance the trust in a company. Everyone expects that companies are hackable, it is purely a question of when.
Create pre-defined templates
An initial breach response that looks like the company issued something hastily and did not have a plan in place for how to respond, can be taken as exactly that. If it looks like the breach response is a modification of a well thought through template, then some effort has probably gone into the planning and preparation for such a cyber breach event.
Here are two examples of recent cyber breach notifications. One good and one not so good.
In this AirBus Industries example from January 2019, the message covers all of the bases.
It is only four paragraphs, and roughly says:
- We messed up
- But we got this now. We are in control of the situation.
- Everybody that should know, does know and all the right people are involved.
- We have communicated to our staff (i.e. we told them before we told you) and asked them to be mindful.
I think that kind of covers it. It doesn’t waffle on, it doesn’t say “the safety of your data is the most important thing to us”, or other such hyperbole. It states facts, it looks like a modified pre-defined template that has been pulled out of a drawer, which indicates that some previous planning for such an event has been done.
Compare the Airbus example to one from Dell from November 2018. The first thing to note is the formatting.
It lacks a defined structure like the Airbus example, which suggests it was written on the fly, with no template to work from. It is clearly random thinking and jumps about all over the place. This notice has all the hallmarks of being written in a hurry by committee.
There is a particular line in here that I don’t like at all.
“Though it is possible some of this information was removed from Dell’s network, our investigations found no conclusive evidence that any was extracted.”
This statement highlights a number of possible reasons for why this could be the case, and none of them are good.
The first part of the sentence indicates that the investigation is not complete. It then states we have not found any evidence. The statement is self-contradictory. If your investigations are complete, you would know whether information was removed or not.
Unfortunately, this is the kind of statement you come up with, when the real situation is quite bad and you don’t want to tell the whole truth, but you certainly cannot lie.
My mental translation of this statement says, “We don’t really know what has happened because we weren’t collecting any evidence (i.e. the event logs) in the first place”.
It then goes on to bemoan the “sophistication” of cyber-attacks, and then claims that Dell is committed to its customers data and that it will continue to invest in IT.
The announcement is sloppy because it raises more questions than it answers. Instead of leaving the reader with a sense that the company is in control, you are left with a sense of quite the opposite.
Templates, templates, templates
The first thing that needs to be done, is to spend some time to generate a few templates that could be used in the event of a cyber breach as your basic statement structure. You might have one for a DDoS attack, where your services are unavailable. Maybe a ransomware one. I have outlined a number of possible scenarios in this earlier post.
If your initial response to a cyber breach looks like it came from a pre-prepared template, you will immediately get some leeway with your audience for being prepared and competent.
Once you are happy with the detail in the proposed templates, make sure you send it over to the folks in Brand management. The notice has to sound like it came from your company, so whilst you don’t want to let Brand rewrite it with lots of sales garbage, you do want to be using the same kind of words that generally come out in your companies’ communications.
Once everyone is happy, make sure everyone signs off on them. You do not want to be taking these out of a drawer to use during an incident, and then having an argument about their quality or correctness.
Don’t waffle about how much your customers trust means to you. That should be obvious to everybody. Concentrate on the facts. Tell the customer anything they have to do as a result of this breach. Tell them how you will continue to update them.
Everything should be about the customer, not how difficult this is for the company. If this data breach is in scope of the GDPR, tell the customer what you have done to ensure their rights, or what you are about to do.
Nothing should be about how wonderful the company is. Everything should be about how you are protecting your customers and their rights.
Don’t hypothesise if you don’t know
The point of investigating is to know what happened. Pre-empting the investigation will only get you into trouble by over or underestimating what has happened. A holding statement is perfectly reasonable. Something like, “We are investigating the extent of the breach and will notify all customers that are affected, once we have confirmed which customers are in scope”.
Don’t use the words “sophisticated” or “suspected nation state actors”.
Tell your customers who is helping you to resolve the incident
If you have outside expertise involved, tell them. If you have law enforcement involved, tell them. External legal council? Tell them.
The more you can show that you have gathered the A-team on this the better. Your customers may not trust you to fix it on your own, but if you can show that you have assembled the Avengers to deal with this, then that may be a different story.
It shows that you are taking it seriously and that you understand that this is the highest of priorities. If you can give your customers a flavour of “no expense is being spared” without actually saying that, you will convey to your customers that you understand the urgency and the seriousness of the situation.
Promise to keep your customers informed and keep your promise
A lot of companies fall down because they believe that the initial breach notification is all that is required. But this does not sit well with a customer centric approach.
Tell your customers where information will be available and what kind of updates to expect.
Be prepared to deal with scammers
Ensure you have a team ready to deal with anyone pretending to be your company, attempting to extract any information from gullible customers. You have already had one breach. Do not allow an initial lacklustre response to encourage scammers.
Ensure that you direct customers to an “firstname.lastname@example.org” type email address, for any communications they may receive that they are suspicious about.
Practice makes perfect
You should be testing your responses to incidents like these on a regular basis though cyber simulations. It is very difficult to deal with a real breach if you have not been through some dummy test breaches.
It helps the entire incident response team to understand their roles and how a scenario is likely to play out over time.
If you want your incident team to be good, they need to practice.
Simulations expose gaps in you planning and allow you to consider a scenario from many angles. Above all, it allows you to make mistakes and to correct them.