Breach Response Readiness Critical for Today’s Buyers
In today’s interconnected B2B world, compromising the information of one company often means that many other companies were or are at risk, as well. Supply chain security demands that we know how to handle potential compromises of our vendors, too.
Many cybersecurity teams have an incident response plan that includes requirements for data breach notification, a crucial element in this climate of heightened supply chain awareness. When purchasing technology, buying organizations ensure that their vendors are prepared to respond if and when a breach occurs.
Here, we will provide insight into not only what companies are obligated to do when responding to a data breach, but what they ought to do in order to maintain customer trust – even in the wake of a security incident.
What is a Data Breach?
You may often hear the words “incident” and “breach” in blogs, articles, and company notifications to refer to various security events. There are, however, different meanings to these words. Here is NIST’s definition of a breach:
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another (sic) than authorized purpose.
“Incident” is a more general term than “breach:” NIST says an “incident” is where the confidentiality, integrity, and/or availability of a company’s data was jeopardized.
Note how NIST mentions the potential loss of personally identifiable information (PII). Recent high profile data breaches highlight how PII can be everything from names and email addresses (LinkedIn) to sensitive information like bank accounts and social security numbers (Equifax). When breaches strike, companies and forensic specialists may only be able to confirm that the data has been compromised. Victim organizations may not know if that data was simply viewed or exfiltrated.
Let’s take a look at how one company handled a data breach well and discuss helpful strategies that your company can put in place.
A Step-by-Step Lesson from Twilio
In August of 2022, Twilio fell victim to an SMS-based social engineering attack. Given Twilio’s large customer base, this was major news.
In response to the breach, the company published a blog post three days after the incident was confirmed. The blog post explained how the attack occurred, provided screenshots of the smishing lures used, and openly declared that a limited number of customers were impacted and that they were notifying those customers. The post also provided details about what they were doing to triage the breach and their approach for providing future updates.
Twilio continued to post updates for the following two months, at which point they gave a final update about incident resolution, complete with a background summary, findings, and a conclusive statement.
Three critical elements stand out about Twilio’s response to the breach:
A Timely – and Public – Response
Twilio posted publicly about the incident swiftly after the breach was confirmed. They not only handled the incident internally and worked quickly to notify impacted customers, but they also exhibited transparency by letting the rest of the world know what happened.
Providing a Comprehensive Explanation
Second, their public response set the scene for what happened. Twilio recognized that customers, whether they were impacted or not, would want to know what happened, when, why, and how. They also made sure to indicate that impacted customers were being notified as a measure of reassurance and acknowledgement that efforts were ongoing.
Demonstrating Clear Follow-Through
Finally, they let customers know what they had done to take action and that their investigation and work was not yet completed. They even went so far as to assure their customers:
“Trust is paramount at Twilio, and, we know the security of our systems is an important part of earning and keeping your trust. We sincerely apologize that this happened. While we maintain a well-staffed security team using modern and sophisticated threat detection and deterrence measures, it pains us to have to write this note. We will of course perform an extensive post-mortem on this incident and begin instituting betterments to address the root causes of the compromise immediately. We thank you for your business, and are here to help impacted customers in every way possible.”
While incident response and management is often seen as a behind-the-scenes process, the quote above is an example of how a company can proactively work to assure customers that they are taking appropriate action and are capable of doing so. This conclusion to their initial write-up injected humility into the response, allowing them to apologize, thank customers for their business, and letting people know that they were there to help.
Prioritizing Transparency When a Third-Party is Breached
With the interdependencies among today’s companies, breaches impact more than just the victim organization. Other companies can be impacted downstream, as we’ve seen recently with the breach of Okta’s customer support system. When an attacker gained access to Okta’s support system via stolen credentials, companies around the world looked to assure their customers that they were unaffected.
Password management platform 1Password was one such organization. In a short blog post, 1Password’s CTO, Pedro Canahuati, shared how they had “detected suspicious activity on our Okta instance related to their Support System incident.”
In a display of transparency and proactivity, the company:
- Offered reassurance that incidents have been handled
- Confirmed that their internal incident was linked directly to the attack on Okta’s system
- Gave reader room to explore more details on their own
At SafeBase, we’ve seen customers leverage Trust Center Updates to reach out to their own customer base regarding this incident within Okta and other noteworthy incidents.
Steps to Take
Having future-focused conversations about how you will respond to a breach and reflecting on those potentially untested processes can be fruitful and allow for a more tactical, targeted response should the time come. There have been various degrees of legislation enacted across the world that mandates what companies must disclose, with harsh penalties should a company be found in violation of such laws. This means that organizations must know where their customers and/or users are so that they can comply with any regulations or legal requirements.
Clarity is of utmost importance when communicating in the aftermath of a breach. Colleagues and customers alike will all have questions - rightfully so. How you address those questions and how you anticipate those questions matters.
Learning from Twilio’s approach, here are some basic steps you can take with your company’s breach communication strategy:
- Set the scene - Who? What? When? Where? These are all questions you should address, especially the “Who?” Let customers know if they should have been contacted or if you are still reaching out to those impacted. The more clearly you articulate the scope of known impact, the less likely your customers will worry.
- Offer attack details - You will no doubt be collecting details and evidence as you progress through your investigation. It comes down to transparency: Share details of the attack. Share screenshots. Be stewards of the security community and let people know what to watch out for. Paint the picture of the attack in a way that informs and educates.
- Own what happened - Take responsibility. Breach response is not the time for blaming other groups. Let customers know exactly what led to the attack’s success and how you are taking action to mitigate future attempts. Acknowledge any missteps honestly.
- Demonstrate proactivity - Security professionals know that recovering from an incident, especially a confirmed data breach, takes time and loads of effort; the work is not finished overnight. Explain what you will do, share how you will continue to stay abreast of the situation, and exhibit proactivity by anticipating what customers may ask.
In general, embrace transparency to nurture trust.
Data breaches are often the darkest days for security teams and the organizations they work for. Each company’s team wants to be prepared to execute technically, organizationally, and communicatively. This is what you expect from your own department and should be what’s expected from any third-party vendors or business partners.
A popular saying among security professionals is how major security incidents or data breaches are “not a matter of if, but when.” When all the chips are down, do you know how your company will act?