Why incident response is not limited to IT security matters
By Alexander Moiseev, Chief Business Officer, Kaspersky
Almost half (46%) of enterprises worldwide experienced at least one data breach in 2018, with victims including such well-known names as Marriott International and British Airways. That means there is a high chance for any enterprise to fall victim to an incident. With this in mind, companies are focusing not only on preventing breaches, but also preparing the methods to limit the impact when it happens.
This may require a combination of buying additional security solutions, which help to detect an attack at an early stage, hiring new incident responders or training the existing team to react to an incident more efficiently. However, is your job really done after you identify the root cause of the breach and resolve technical issues? To answer this, let’s look at how data breaches affect an enterprise from a financial point of view.
IT damage costs are just the tip of the iceberg
The financial damage of data breaches cost organizations an average of $1.23 million in 2018. A tenth ($131k) of this sum is related to lost business, which can be caused by downtime in business operations. Nonetheless, when your IT and IT security teams bring all the processes and systems back on track, it does not guarantee that the business will prosper as it did before the incident.
A survey revealed that 83% of American consumers and about a half of British (44%), Australian (43%) and Canadian (58%) ones will stop spending with a business for several months if they know that it experienced a data breach. Moreover, some of them claim that they will never shop again with such brands. Besides, your incident will spread via word of mouth, as proven by 85% of customers saying they will tell others if their personal information is stolen as a result of a data breach. This suggests that consumers are now more concerned about the safety and privacy of their data.
Given how much data breaches affect customer loyalty, it comes as no surprise that companies typically had to spend 11% ($132k) of the average breach-related cost on additional PR activities aimed to mitigate negative perception after the attack.
How to stop a cyber incident becoming a PR disaster
The aftermath of a data breach goes beyond IT security, making the response to it a business-wide matter. This idea is widely accepted among cybersecurity professionals. In our survey of more than 300 CISOs worldwide, almost all agree (97%, and 47% agree strongly) that they have participants from all key departments including IT, legal, HR, customer support, sales, and corporate communications departments, when responding to a security incident.
Despite IT security leaders understanding the importance of cooperation across different departments when responding to an incident, companies still fail to deliver an adequate response. It often happens because companies don’t know how to specifically handle crisis communication related to the IT security incident.
The key to effective crisis management is to be prepared. That way, companies should know how to communicate the dangerous situation they are likely to face because of their business risks – be it a product recall for a manufacturing company or environmental damage caused by a mining organization. As the statistics imply, cybersecurity incidents should be also included in this. However, a single plan to address any cybersecurity issue will not work.
The possible impact on a company’s reputation depends on what kind of incident it experienced – whether it was APT, which allowed cybercriminals to spy on its activities, or ransomware, which paralyzed the business. Instead, a crisis communication plan should take into account the company’s threat model and cover the likeliest scenarios.
When a company discloses an incident, another mistake is to draft a generic statement that does not provide any information on what exactly happened, how it affects its customers and partners and how the problem is being solved. The lack of details creates a breeding ground for speculation, which results in an even bigger reputational loses. Therefore, to write an informative statement, corporate communications need to find out details from stakeholders. This is not easy when the entire IT security team is busy with numerous urgent tasks as they respond to the incident.
Besides, a timely and coordinated response to an incident depends on how well internal communication processes are established. Effective means of communication allow employees to be always-on and stay updated on the situation, which is essential during a crisis. But in the case of cyber-incidents, there is a pitfall.
Usual means of communication, such as email, IP-telephony, direct messages and phone or video calls may be compromised by hackers. So as not to cause another breach when discussing a statement, a company must have operation security measures on preparation for the disclosure of an incident. It protects the business from sensitive information leaking if attackers still persist in the network or through careless or malicious employees.
But how can one communicate without means of communication? In this situation, involved employees should use encrypted channels. Nonetheless, non-IT staff may not know much about encrypted messaging applications, so they will have to spend their precious time installing them – or explaining to an IT administrator why they need something besides already approved means of communication.