Data Breach Notifications and Why Honesty is the Best Policy

Written by

Data breaches don't discriminate. Businesses of all sizes are affected by these hugely damaging attacks, which means that more and more customers are directly feeling their effects.

For businesses, the impact of a data breach is far-reaching, disrupting organizations both in financial terms and in the way they are perceived by the general public. 

For example, a company with its name splashed across the papers for having been caught cold by a data breach may find that once-loyal customers are evaluating their relationship, with a potentially irreparable loss of trust. 

Trust is a valuable thing for customers. We're more connected than ever, and the sheer volume of sensitive data now available to organizations means that customers expect a high degree of transparency. Every successful cyber-attack dents customers' faith in the integrity of digital services, so it's in a business’s best interest to be as honest with customers as possible. 

This leads us to data breach notifications—the act of businesses alerting customers to any breach that they've fallen victim to, and taking steps to remediate the damage. In some regions, like Australia, data breach notifications are mandatory, while in the UK, under the GDPR, a breach must be reported if it’s likely to result in a risk to people’s rights and freedoms.

It’s not hard to see why these measures are being put into place. It ensures that customers aren't left in the dark with regards to their data. 

While some companies may baulk at the idea of telling customers that they've been targeted by cybercriminals, data breach notifications can work in a business’s favor, and can be an effective customer retention tactic. Honesty, it seems, really is the best policy. 

Keep your customers
Customer loyalty and trust is far more likely to be earned by businesses that clearly communicate their commitment to breach notification and prove that they’ll deliver on it. Customers are savvy, and if you remain tight-lipped about a data breach, the truth will eventually come out.

If a customer reads about a potentially damaging breach in the news rather than being informed by the company they are affiliated with, then that relationship is in for a rough ride. 

Data breaches can be damaging to an organization’s finances and reputation. By showing customers that your business won't be cowed by the attacker threat and that you'll stand up for what's right, regardless of the cost, you'll likely be rewarded with trust and respect. 

With this in mind, it's clear that data breaches are more than an IT issue—they are a business issue. Given that the tendrils of an attack are so far-reaching, it's strange that in many businesses, data breach notifications are seen as the purview of the IT professional. This is absolutely not the case. 

Know your role
A data breach notification is everyone's responsibility, and it’s up to the business to let customers know that they have IT professionals working hand over fist to combat these damaging attacks. For a business as a whole to be aligned in this, it's important that attacks are identified and the level of damage is established as quickly as possible. But how can you do this?

First, plan before establishing your defenses. Countless businesses rush in and purchase “bleeding-edge” defense tools without knowing what they actually do. Instead, your first step should be identifying your most sensitive or vulnerable data, and deciding who’s responsible for its protection. In doing so, you can achieve faster and more stable implementation than the previously mentioned “headless chicken” approach.

Second, you should invest in monitoring before defenses are established. Data breach notification is only possible if you know when a breach occurs, and monitoring is the only way to do that. Security Information and Event Management (SIEM) software will tell the business when an attack has occurred, the damage it has inflicted, and if any other systems may still be at risk. 

You should also map your monitoring and reporting strategy to business priorities as well as the usual suspects, like events logs, USBs, and other external devices. With business priorities constantly changing, your SIEM tools need to be able to adapt to keep up. 

Finally, constant testing is a must. As you implement your monitoring, automated reporting, and response systems, you'll likely find that your initial priorities and strategy aren’t completely accurate. When that happens, ditch any defenses you don't need and double down on weaker or more critical areas.

Remember to update the rest of the business when you adjust your defenses. Otherwise, your business and its customers may grow accustomed to a false sense of security.

Data breach notifications are already achievable for most IT teams, however, more work is required if an entire business is to pitch in and use this transparency as a competitive advantage. By following the above steps, you can let customers know what needs defending and why, and earn their trust and loyalty, proving that honesty is still very much the best policy.

What’s hot on Infosecurity Magazine?