{"id":1888,"date":"2025-02-11T17:38:58","date_gmt":"2025-02-11T17:38:58","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1888"},"modified":"2025-02-11T17:38:58","modified_gmt":"2025-02-11T17:38:58","slug":"how-to-communicate-clearly-and-legally-during-a-cybersecurity-crisis","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1888","title":{"rendered":"How to communicate clearly (and legally) during a cybersecurity crisis"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

What do a CISO handling a data breach and a 10-year-old who just accidentally broke his neighbor\u2019s window have in common? Each has a difficult choice about what to communicate next \u2013 and how. As more and more enterprise leaders are learning, a failure to communicate honestly and own your mistakes could come back to bite you later.<\/p>\n

Uber knows this all too well.<\/p>\n

In 2022, the U.S. Department of Justice\u00a0convicted<\/a>\u00a0Joe Sullivan, the company\u2019s former chief of security, for lying about a 2016 hack where thieves stole data on approximately 57 million customers. Sullivan orchestrated a $100,000 bitcoin payment to keep the hackers quiet, subsequently hiding the hack from external stakeholders and Uber\u2019s new management, the Department said.<\/p>\n

Communicate early and often<\/strong><\/p>\n

While few companies go as far as a criminal cover-up, many will try to duck the consequences. It\u2019s a dangerous game, says Jon Collins, VP of research at analyst company GigaOm.<\/p>\n

\u201cEvery risk is a business risk,\u201d he says, adding that cover-ups show a lack of joined-up thinking. \u201cThat happens because they\u2019re seeing it from a security perspective, but the cover-up is also a risk. And the way that you mitigate against it, from a business perspective, is to fess up really quickly.\u201d<\/p>\n

Sometimes, tardiness\u00a0stems from a lack of preparedness. At a Wall Street Journal event in late November, Todd McKinnon, co-founder and chief executive of identity authentication company Okta, voiced regret over its handling of a cybersecurity incident in 2022.<\/p>\n

The attack on one of Okta\u2019s vendors, Sitel, occurred in January, but Okta only admitted the incident in March after the Lapsus$ hacking group went public with the details on its own Telegram account, including screenshots of compromised systems.<\/p>\n

Okta\u2019s chief security officer David Bradbury (no relation to this reporter) responded by stating that customers did not need to take any corrective action. However, Lapsus$ continued to taunt the company online by warning that its customers were the target, and customers went public with their frustration at the lack of clarity (or, in some cases, at the lack of any direct communication from Okta at all).<\/p>\n

Okta then revealed that 366 customers might have been affected by the attack, and Bradbury pointed the finger at Sitel. \u201cI am greatly disappointed by the long period of time that transpired between our initial notification to Sitel in January and the issuance of the complete investigation report just hours ago,\u201d he\u00a0reportedly said<\/a>, but he also later admitted that the company should have moved more quickly to communicate after getting that report.<\/p>\n

\u201cIt\u2019s hard to be upfront about things, especially when you don\u2019t have all of the information,\u201d says Jenai Marinkovic, CISO at Tiro Security and member of ISACA\u2019s Emerging Trends Working Group. But that shouldn\u2019t stop companies from assessing which information is reliable enough to share and being transparent with it, even if they must fill in the blanks later as their investigation progresses. Just explain what you initially know and communicate what you\u2019re going to do next, she advises. \u201cThe world tends to be pretty forgiving if you\u2019re upfront about things, so getting the right message out as quickly as possible as soon as you can is key.\u201d<\/p>\n

Robust communication relies on a robust risk assessment<\/strong><\/p>\n

But once you\u2019ve resolved to communicate a cybersecurity incident rather than ignore it or sweep it under the carpet, how does that confession work? Begin with a solid\u00a0risk assessment<\/a>, says Marinkovic.<\/p>\n

Communication is an intrinsic part of a broader cyber-incident\u00a0response playbook<\/a>\u00a0that should be tailored to cope with different threats. You might react and communicate differently in a DDoS or\u00a0ransomware<\/a>\u00a0than in a theft-of-information situation that puts customers at financial risk.<\/p>\n

\u201cYour risk assessment should have identified the most likely types of breach, threat actors, and processes that it impacts, along with all of the downstream people that are impacted,\u201d she says. \u201cSo, if you do a risk assessment appropriately, that should feed into your communications plan.\u201d<\/p>\n

From there, you need to communicate only accurate information. That means walking a fine line between communicating early so that you appear in control of the situation while also being sure of your facts, says Paul Watts, distinguished analyst at the Information Security Forum.<\/p>\n

\u201cThat can sometimes be an issue if you think you need to get that preemptive strike out, and then you realize that the circumstances of the incident are either better or worse, meaning that you\u2019ve got to reposition yourself,\u201d he says.<\/p>\n

Nothing destroys confidence more quickly during a data breach than inconsistent information. UK telecommunications company TalkTalk drew criticism after publishing apparently contradictory statements over customer data theft in 2015, which had UK police scratching their heads along with customers.<\/p>\n

Consistent communication means talking closely and frequently with engineers and IT staff. They\u2019ll help you sort known facts from developing theories so that you can communicate only what you\u2019re certain of.<\/p>\n

Bridging the language gap<\/strong><\/p>\n

Talking with engineers is a good example of where a multi-disciplinary approach is vital, says Marinkovic. Translating engineer-ese into something that customers can understand might be difficult for internal communications professionals without a technical background. It takes persistent, incisive questioning to harvest relevant facts that can be relayed to regulators and affected stakeholders.<\/p>\n

\u201cYour GRC [governance<\/a>, risk, and compliance] team understands controls and tends to be more experienced at translating tech for the business,\u201d she says. They should be in the room when crafting external communications strategies.<\/p>\n

Watch for leaks<\/strong><\/p>\n

Ensuring a single external communication channel is critical, says Watts, who warns organizations to beware of internal leaks. It is vital to train employees in what they can and cannot say during an incident. \u201cOtherwise that creates opportunities for performance and accidental disclosure, which can then cut across the grain of a formal communication strategy that you may have,\u201d he warns.<\/p>\n

Inappropriate communication doesn\u2019t just mean conversations with journalists. If a company\u2019s attacker has a Twitter account, it might be tempting for intrigued employees to follow them from a personal account. Even that can increase the organization\u2019s attack surface and create problems for the internal security team, Marinkovic says.<\/p>\n

Victims of a data breach often bring in third-party forensics experts to help trace and fix the problem. Sourcing professional communicators versed in cyber-crisis scenarios can be just as valuable, say experts.<\/p>\n

\u201cEngaging the right PR firm helps you to put that message in a way that\u2019s authentic,\u201d Marinkovic says. No one wants to hear how important their data is to you after a thief just plastered it all over the dark web. Instead, a clear, businesslike account of what happened and what you\u2019re doing to fix it is the best way forward\u2014and a little genuine humility wouldn\u2019t hurt.<\/p>\n

Learn how to protect your business-critical endpoints and cloud workloads with the Tanium platform.<\/a><\/p>\n

This article was written by Danny Bradbury and\u00a0originally appeared in\u00a0<\/em>Focal Point<\/em><\/a>\u00a0magazine.<\/em><\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

What do a CISO handling a data breach and a 10-year-old who just accidentally broke his neighbor\u2019s window have in common? Each has a difficult choice about what to communicate next \u2013 and how. As more and more enterprise leaders are learning, a failure to communicate honestly and own your mistakes could come back to […]<\/p>\n","protected":false},"author":0,"featured_media":1889,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1888","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1888"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1888"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1888\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1889"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1888"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1888"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1888"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}