Escolar Documentos
Profissional Documentos
Cultura Documentos
No organization wants to experience a network breach or similar security issue, but chances are pretty high that it will happen at some point. Once the unthinkable has occurred, good and effective communications will be essential to getting through the experience successfully. The middle of a crisis is no time to be trying to figure out who should say what to whom these details need to be established well in advance.
A recent survey by The Hartford indicates that most small business owners do not think they are at risk for a data breach. In reality, even if you have a good security program and maintain a great security posture, there is a high likelihood that your corporate network perimeter *will* be breached. When that fateful day arrives, there are two things that determine how ugly things get for you and your business: 1. How well your actual defenses are (how far the attackers got in, what they touched, when you identified the attack, etc) 2. How well you handle the post-breach communications (who you speak to, when and how you speak to them, who speaks to them, what you say, etc) You can be certain that people like planning for breaches almost as much as they like performing estate planning. The general feeling appears to be that thinking about a breach (or a will) will bring on their demise that much sooner, but the reality is that theres no better time than the present when it comes to preparing for either event. The difference between a dilemma and a crisis is all a matter of preparation.
Page 1
The authorities should be contacted by your legal counsel or someone in your senior management team as soon as you know for sure that you have been breached. They will provide you with additional guidance, and may even provide some assistance in terms of conducting forensics. It is best to speak to the authorities in advance to determine who the right contact persons are so that the process is streamlined during the actual incident.
General Customers
Once you have ensured that your key constituents have been notified by phone, you will want to send out the letters and emails to everyone else. While it is important to notify everyone who is affected, you will want to have a priority conversation with those who are strategic to your organization first. For everyone else, they need to know what has happened and how it impacts them. Be ready to say what high-level steps have been taken (weve eliminated the weak point in our system and updated our procedures and tools to monitor/block more effectively), and provide them with some satisfaction regarding their ability to continue doing business with you. You can direct them to your website for more information as appropriate.
Page 2
General Public
Whether or not you inform the general public is dependent on your industry and type of organization. If you are a public company, or if your organization provides internet based services, then you might need to let everyone know that something has occurred. Timing is important, because you dont want to stick something on the website and have key customers find out there before they are called. The less said, the better, but it should follow the same format as for general customers.
The Authorities When: What: By Whom: How: Follow-up: As soon as you have confirmed the breach (within 12-24 hours, max) Everything you know about the breach Legal counsel or Senior Management (CEO/President) Typically by phone or other pre-established contact mechanism As directed by law enforcement (several times a week, generally)
Critical Customers and Partners When: As soon as you have verified the scope (within 1-3 days, max) What: That a breach has occurred; that the data is safe/unsafe; that the authorities are involved. By Whom: Senior Management (CEO, President, Executive Account Manager) How: As directly as possible (generally by phone and express mail) Follow-up: At least weekly (possibly more frequently in the very early stages)
General Customers When: What: By Whom: How: Follow-up: As soon as you have confirmed the breach (within 3-5 days, max) A high level announcement of the breach and cooperation with authorities. Senior Person responsible for corporate communications Generally via email and snail mail As information changes
Page 3
General Public When: What: authorities By Whom: How: Follow-up: Depends on your organization and industry (within a week, if at all) A high level announcement about a potential attack and cooperation with Senior Person responsible for corporate communications Generally via email and snail mail As information changes
In general, be timely and concise, but provide useful information. The faster you contact the authorities, the more effective your other communication is going to be. While no one wants to have a week pass by without being informed that their data may have been vulnerable, most will be somewhat forgiving if your organization was working with law enforcement very early in the process. The first few weeks following a breach or major incident are among the most crucial for any organization. Taking the time to plan in advance who will be doing what communication and what the gist of that communication will look like will go a long way to handling a breach in a way that customers and innocent bystanders will respect.
Wrapping It All Up
When everything has been finally brought under control, and all the dust has settled, it is highly advisable to distribute a final communication to close out the matter properly. This will typically involve a high-level summary of the events that transpired, how they were addressed in the short-term, and any lessons learned that will be applied over a longer timeframe. This is a delicate, but essential matter, because it says a great deal about an organizations true level of transparency, and it has a more significant bearing upon its trustworthiness than almost any other type of statement or activity. Just as the true character of individuals is more readily highlighted in time of conflict or crisis than in time of peace, so too is the true character of an organization more clearly defined by its response to various crises. Here are some additional resources that will help you and your organization to formulate effective incident response and information security plans:
Andrew S. Baker is the president and founder of BrainWave Consulting Company, LLC where he provides Virtual CIO services for small/medium businesses. See Andrew's complete social presence at XeeMe.com\AndrewBaker
Page 4