Advanced Persistent Agony: Fixing the Broken Data Breach Response Template

Have you ever read a news article about a data breach from a major company and thought "they did a great job handling that situation and communicating it to their affected customers and the public?" Probably not. 

The standard response playbook to a major data breach is harmful to security professionals, damages consumer trust, and ultimately makes it impossible for companies to protect their customers or their brands:

Stage 1 - Advanced Persistent Overwhelm: It starts with security pros who are overwhelmed with alerts, not knowing which ones are credible threats and which ones are not – leading to preventable breaches and attackers that go undetected for months.

Stage 2 - Advanced Persistent Inertia: Once the threat is finally detected, lawyers and PR departments lead the communication to customers and stakeholders. Instead of providing a clear view of what happened and how it is being solved, they issue the same pre-canned statements, essentially denying responsibility for the attack, while simultaneously claiming to have taken all precautions to prevent it again.

Stage 3 - Advanced Persistent Apathy: Consumers grow numb to the daily threats in the headlines and actual compromises of their personal data. The most impacted individuals are overwhelmed to the point that they don’t have the energy to hold companies to a higher standard. Businesses who should be stewards of their customers' data then have no incentive to behave any differently. 

The cycle continues. But it doesn't have to be this way. 

Addressing Overwhelm 
When security teams are overwhelmed, it is often because they have too little information, too few qualified staff, and too little time to gather and parse the information. Stuck with limited data from logs, agents, and testing tools spread across multiple platforms and consoles, security teams are faced with excess friction at every step of a breach investigation.

  • The New Approach: The first solution is better information, delivered faster. The real, definitive action in every data breach occurs on the network, at the moment when an attacker gains access to a sensitive database or moves a file containing sensitive information off the victim's network. By pursuing total visibility and investigative capability on the network, businesses can reduce the cognitive load and burnout that is so common among security staff and create an environment where it’s possible to successfully investigate and prevent increasingly advanced threats.

Combating Communication Inertia
Defeating inertia when it comes to communicating about major data breaches is both a technical and a cultural challenge. When a breach occurs, both security and line-of-business stakeholders often don’t know enough about what happened – and the information they do have comes too slowly – to communicate effectively. They find out about the breach months after the damage was done, and it takes even longer to investigate.

This has always been bad for brand image, and a terrible experience for consumers, but it became completely nonviable with the enactment of the General Data Privacy Regulation (GDPR), requiring businesses to report a data privacy violation in detail to consumers within 72 hours.

  • The New Approach: Breached businesses need to be able to say exactly how many customers were compromised, when it happened, how they are fixing it and if they'll be compensated. The security team is the only possible source of that information, but they can't provide it if they don't have it. Providing security teams with the tools and staff they need to provide timely, accurate information about a breach to the rest of the business is no longer a nice-to-have, but a requirement for businesses in the new regulatory environment.

Defending Against Consumer Apathy
Consumers are subjected to new compromises constantly. They shouldn't have to fight with a retailer who loses their credit card number, or the DNA testing company that leaks private medical data. But that's how the system often works right now.

With GDPR and other pending regulations, the enormous possible fines companies in violation will create consequences that businesses can't ignore. These regulations require reporting capabilities that most businesses can't meet today without an overhaul of their data-gathering and -handling practices.

  • The New Approach: As corporations come to terms with the need for better investigation capabilities, their security operations teams will gravitate towards the highest-fidelity, most reliable data source available to them: the network. The network is already the source of truth for IT and security operations teams seeking to understand how malicious actors behave. The next step is to use that data to effectively understand and communicate about breaches to protect and build trust with consumers.

In summary, in a world where every company is susceptible to massively public data breaches, those that master the investigation and communication aspects of a breach will retain customer trust more effectively, which will directly affect their bottom lines.

What’s Hot on Infosecurity Magazine?