The verdict is in: Equifax “epically bungled” nearly every aspect of its breach response.
For those of you just waking up from hibernation, here’s the gist. In September of 2017, credit reporting giant Equifax announced that attackers had infiltrated its systems and gotten access to the sensitive data of 143 million individuals. The breach succeeded despite Equifax knowing about the vulnerability and having ample time to address it.
Equifax’s PR went wrong from day one. Equifax waited six weeks to disclose the breach, enraging customers, most of whom hadn’t even known Equifax had their data. Three executives sold millions in shares within the month before the public announcement. Equifax directed customers to a separate, unsecured site that required them to re-enter a portion of their SSN in order to find out whether they’d been affected. The company’s Twitter profile repeatedly tweeted links to copycat sites. Like Yahoo before it, Equifax’s handling of the situation was ludicrous and inexcusable.
Yet such ‘epic bungling’ can lull us into a dangerous sense of security. Amid our outrage, we can easily forget that our organizations could be next. According to Ponemon’s 2017 Cost of Cyber Crime Study, the average enterprise suffers 130 successful breaches1. IBM finds that the past five years have seen a gradual rise in disclosed software vulnerabilities, with 2016 the highest on record2.
Equifax’s comedy of errors can obscure a sobering truth: we are all targets. As former FBI director Robert Mueller observes, cyberattacks are “no longer a question of ‘if,’ but ‘when’ and ‘how often.’”
Many sources proclaim that you will be breached. We won’t go that far. But we will say this: it behooves your organization to act as though a breach is, not only probable, but imminent.
Assume it will happen, and plan for when it does happen.
Common sense, ancient wisdom, and modern cybersecurity experts are unanimous: organizations with a comprehensive, fully-resourced incident response plan will weather a breach far better than one that builds its wings on the way down.
The internet teems with arbitrary lists of what incident response plans should include. We won’t pretend to know enough about your organization, industry, team, or prior efforts to give you an all-encompassing break-in-case-of-emergency prep kit.
We have humbler aims. In this article, we will offer five thoughts for you to consider as you craft your own breach response plan.
1. Sourcing External Counsel
Equifax had bottomless pockets and the pick of top-tier talent. Neither fact prevented it from fanning disaster into cataclysm. Crisis makes for flawed decision-making. We suggest seeking experienced counsel from outside your organization. Several benefits support this suggestion. Legal counsel may include your initial decisions within attorney-client privilege, as Grant Thornton’s Johnny Lee remarks.
Since the breach occurred “on your IT provider’s watch,” Pinkerton’s Stephen Ward advises you to treat in-house resources with skepticism. IBM reports that 60% of breaches involve company insiders3. Even if you trust your IT staff, external firms can help detect vulnerabilities, verify patches, and find hitherto unknown weaknesses.
2. Recruiting a Crack Team
Most experts agree that your plan should identify an incident response team: a group of skilled staff selected from necessary departments: IT, HR, PR, and legal. Yet trusted individuals may have caused the breach in the first place. Thus, firms must keep a close watch on responders and have alternatives in case the trail veers toward privileged employees. Breached companies should also consider launching parallel investigations, internal and external.
Choose a team capable of identifying the breach’s source, scope, and significance in as little time and with as much confidentiality as possible. Recognize, however, that rumors spread—except in the rarest of cases, those aware of the breach will swell in number, and you should prepare to disclose early before word leaks to the press or public.
Once you have identified and patched the source, do everything in your power to verify the solution. Chris Pogue contends that “an external team of experts…is really the only way of ensuring that the fixes that have been put in place are fulfilling their intended purpose.”
3. Cooperating with Authorities
With GDPR and its predecessor initiatives, Europe has made vast strides toward standardized digital regulation. The United States has not. In the U.S., breached organizations must negotiate numerous legal jurisdictions, many in tension or conflict. Reporting requirements vary by state, from 90 days in Connecticut to 30 days in Florida. Confidentiality, the legal treatment of encrypted data, and liability to torts range almost as widely.
As Jenny Durkan and Alicia Cobb write in The Cybersecurity Law Report, “Any business that suffers a significant breach will face not only multiple civil suits but multiple investigations by federal and state authorities.” While the severity of these investigations depends on the volume and sensitivity of exposed data, any breach could place your business in extreme “legal jeopardy and uncertainty.”
Experienced legal counsel will prove invaluable here. You must understand which authorities to contact when and how. Don’t rely on regulators to appreciate a good faith effort.
4. Disclosing the Breach
In public opinion, perception is reality. Jaundiced by recent headlines, consumers no longer regard breaches as acts of God. Public opinion “has evolved,” remarks PwC’s Hamish Cameron. High profile breaches once invoked sympathy. Now they invoke only anger and annoyance. Your “customers want reassurance that you’re doing everything you can to get things back to normal.” Woe to you if you don’t reassure them.
Some researchers refer to this emerging mindset as ‘data breach fatigue.’ To breached companies, this fatigue is both blessing and curse. Veteran PR consultant Loren Dealy Mahler specializes in guiding companies through the fallout of breaches. She points to the customer’s expectation that breached organizations follow a simple script. First, the firm “acknowledges that something happened.” Second, executives “apologize for the impact on their customers.” Third and finally, the firm “prevents [its] story from changing over time.”
Match the script, and you can mitigate the consequences. Fail, deviate from it to even a minor degree, and you invite disaster. Any mishandling will create what Mahler calls “a chain reaction of negative attention being paid to your handling of the situation, rather than to the actual breach itself.”
Wait too long to disclose, and you risk charges of negligence. Disclose before resolving the leak, and you risk continuing losses.
It is vital that you take proactive steps to handle the PR fallout. Work with an experienced PR firm. Have a strategy that identifies not just the method but the order of disclosures. You could, for example, plan to notify your incident response team first, the authorities second, employees third, and the public last.
5. Play the Long Game
The impacts of a major data breach will echo for months and years to come. In extreme cases, companies fail to comprehend the true scope of the breach until much later. Yahoo did not realize until 2017 that attackers had compromised all three billion of its user accounts in a 2013 breach, far from the mere millions originally estimated. Equifax had to admit ten months after the fact that exposed data included 2.4 million more customers than previously thought.
While few cases involve mistakes as spectacular as Yahoo and Equifax, the principle remains: like a physical wound, breaches take time to heal. The outright costs of a breach—the lawsuits, departing customers, and regulatory fines—represent only part of the final toll, which will include lasting harm to brand reputation, customer base, and partner prospects.
Breaches also leave your organization vulnerable. Take heed that the recovery process doesn’t detract from ongoing cyber threats.
We know—it sounds nigh to impossible. You must manage dozens of competing priorities while under inconceivable personal and professional pressures. You must identify, fix, and verify that you have fixed a vulnerability you probably knew nothing about. You must commission for this task a team of employees that may not deserve your trust. You must stand before the public with hat in hand and apologize for events largely outside of your control.
It seems unfair.
It is unfair.
But with a plan—a complete, well-resourced, and fully-executed plan—you and your organization can not only survive a breach, but emerge stronger for it.
1 Ponemon Institute, 2017 Cost of Data Breach Study.
2 IBM, X-Force Threat Intelligence Index 2017.
3 IBM, X-Force 2016 Cybersecurity Intelligence Index.