Data breaches come with a hefty price tag – from IT costs to notification expenses, insurance premiums and operational down time, organizations are very often faced with a financial crisis that can take years to overcome. Shaken consumer confidence only amplifies the hurt.
When Equifax announced that they had suffered a data breach in 2017 (along with the fact that the personal information of more than 147 million customers had been compromised) the public was rightfully enraged. They had trusted the consumer credit agency to protect their data and it was shocking to see a well-known enterprise fail – and on such a massive scale.
Immediately following the incident, a YouGov survey showed that Equifax’s public perception took a serious hit, not to mention an 18% loss in stock price. At the time, the company’s Buzz Metric fell to negative 34 – meaning most people had only heard adverse things about the company.
According to some reports, the fallout was so bad, it even negatively affected the perceptions of other credit rating agencies such as Experian and TransUnion despite the fact they were never breached. As a result of a growing trend around mega breaches like Equifax, Moody’s announced a new rating to evaluate the cyber risk of a company.
Over the last year, Equifax has worked to regain the trust of the American people and their efforts are starting to pay off. Last month, Equifax’s public opinion metric was around negative 2 – about where it was pre-breach. How did they orchestrate such a turnaround despite some very public pitfalls along the way? Good, timely communication.
Immediately following the breach news, Equifax CEO Richard Smith issued an official apology and then stepped down. The new, interim CEO then made a series of additional apologies and introduced a free, self-service portal that gives customers more control over their own data, though that too has had its own set of issues that the company has also had to remediate. With last week’s House Oversight Committee report that called the Equifax breach ‘preventable,’ the company’s leadership team again has more damage control to do.
From Home Depot to Nordstrom and countless other data breaches, post mortems often show quick, transparent communication is a key ingredient in maintaining credibility and rebuilding trust in the eyes of stakeholders.
For Equifax and other companies who must deal with the fallout of a data breach, the NIST Cybersecurity Framework can be a guide to response best practices. It was designed to safeguard organizations and the data they hold with 5 pillars: identify, protect, detect, respond and recover. The fourth, Respond, outlines the implementation of three required elements for an effective data breach response:
While recovering from a data breach can mean months – sometimes years – worth of work, responding with clear communication, an incident response plan and post event analysis can help an organization get back to business.
For more on how to use the fourth pillar, Respond, watch this video below. And you while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.
Hi! Josh here from Absolute. Today’s video is all about the Respond pillar of the NIST Cybersecurity Framework.
Think of the term ‘efficient’ as doing things right, while ‘effective’ should be thought of as doing the right things. We need both. And nestled inside this section are focus areas for improving effectiveness and efficiency.
It starts with Response Planning.
I know, I know. The famous quote from Mike Tyson: “Everyone has a plan until they get punched in the face”. But when you think about it, even world champion boxers will train, simulate, and spar to plan for what happens after the punch.
A good place to start your response planning is to return to the five questions: What could happen? What should happen? What would happen? What is happening? What did happen? Each of these questions demands answers; and those answers become the foundation of the response plan.
Next is Communication.
Marketing and advertising teams will often lean on ‘style guides’ to have consistent tone, voice, and terminology for any outbound communications.
It was only when I saw this same style implemented by IT and security teams that I realized good ideas are not imprisoned in the place of birth.
Then comes, Analysis. A detailed examination of something; leading to interpretation and sharing. That’s the definition of analysis. We’ll talk more about root-causes and forensics in the next episode. For now, to win at the NIST framework, and response effectively, we need to direct analysis toward recover. Which is the effect we’re going for in the first place, so... effectiveness.
This helps to prevent the incident expansion, and mitigate its effects. Because if we analyze where something is, and where it is going, we can stop it dead it its tracks.
Finally... NIST call for us to eradicate the incident. Returning resources back to a state of cyber hygiene.
These are just some of NIST’s timely advisories to level-up incident response. When you plan, communicate, analyze, and mitigate you naturally improve, in both, effectiveness and efficiency.
Happy holidays everyone. We’ll see you again after the calendar rolls over into 2019 where we will wrap up with the final pillar of NIST.