By Javvad Malik
Breaches aren’t easy to deal with, especially if you are of the opinion that companies are people, too. Having seen, been part of, and lent a shoulder to many a breach, here are nine of the most common ways I’ve seen companies respond to breaches.
A delayed response is when a breach has occurred and the company is informed a long time after the fact, usually when the data appears on a dark web sharing site. Sometimes the company is informed by law enforcement or sometimes they learn by reading about it on Brian Krebs’ blog.
Complicated Response (Traumatic or Prolonged)
A complicated breach becomes severe with time and can impact the entire company. This can be the case when regulators step in to look at a breach. Were you PCI DSS compliant? Well not anymore. Did you have European citizen data? Well say hello to my little GDPR friend.
Disenfranchised breaches are when the company experiences a loss, but others do not acknowledge the importance or impact. For example, an intellectual property breach that allows a competitor to get ahead is felt by the company, but elicits little, if any, sympathy from customers.
A cumulative breach is when multiple breaches or incidents are experienced, often within a short period of time. For example, getting locked out of your IoT device’s accounts while records are being exfiltrated out of the mainframe during a DDoS attack. A cumulative breach can be particularly stressful because a company doesn’t even have time to properly respond to one incident stating how they ‘take security seriously’ before experiencing the next breach.
Sometimes a company responds to a breach in extreme and hostile ways. In a manner befitting a toddler, the company may resort to blaming a partner or any other third-party company. On occasion, the finger of blame is pointed towards an employee or contractor for not patching a system. Or, in some cases, the company will want to set an example and unceremoniously fire the CISO.
Also known as “keep this between us,” this is a conscious decision by a company to keep details of a breach limited to a very small group. Problems can occur if customers or regulators get wind of it, which can cause bigger issues down the road. By then, the only viable option for companies is to shred the documents, wipe the hard drives, and research countries with non-extradition treaties.
Collective breach is felt by a wider group, and the impact is shared. It can be a useful tactic to bring all people on the same side and put their differences aside. When everyone is forced to change their passwords after a breach, it gives common ground for them to share the pain.
A favorite of social media giants, absent response is when a company doesn’t acknowledge or show signs of giving any response. This can be as a result of shock, denial, or simply passing everything onto “business as usual.” It’s important to note that in some instances, just because you can’t see the signs of a response doesn’t necessarily mean that a company isn’t taking responsive actions. Or it could just mean they don’t care; it can be hard to tell.
Remember all those posters telling you “It’s not a matter of if, but when” – well, that can have a positive affect as companies can go into anticipatory mode, expecting a breach and preparing accordingly. It doesn’t lessen the sting of a breach, but it does allow you to have plans in place to respond and recover.
About Javvad Malik
Javvad Malik is an award-winning information security consultant, author, researcher, analyst, advocate, blogger and YouTuber. He currently serves as a security advocate at AlienVault.