In February, Australia joined several other countries in having legislation that requires companies to report to regulators and affected stakeholders any data breach that poses a risk of serious harm to Australians.
Experience overseas shows that affected organisations are judged as much on the effectiveness of their response as on the severity of the event.
Building on our own experiences and analysis of public responses, we’ve outlined six key principles of a strong response to a cyber security incident.
Empathy: The guiding principle for any response must be to understand the harm caused for your customers or staff and to respond with empathy and caring.
Accountability: Under public pressure, the temptation to point the finger at others is strong. However, the shortest path for an organisation to restore trust following an incident is to accept full responsibility.
Responsiveness: This is broader than notification and public disclosure. Responsiveness must reflect a general sense of urgency to minimise customer harm.
Accuracy: Avoid the temptation to speculate about impact, scope or root cause before all facts are known. Our analysis suggests the best course of action when public disclosure is deemed necessary is to focus on customer concerns in any initial statement, along with a commitment to issuing regular updates as facts are verified.
Transparency: Statements that are vague, seek to obscure or use legalese will only exacerbate the problem. Transparency is preferable.
Competence: Once an incident is disclosed and publicly known, media stories provide an opportunity to rebuild trust by demonstrating your competence. Consider making your Chief Information Security Officer or other subject matter experts available for comment to reflect security expertise in media coverage.
The latest issue of Signals studies the impact of public responses to data breaches by six organisations, including Anthem Healthcare, Equifax, Hilton Hotels, Home Depot, Hyatt Hotels and Target.
*This is an excerpt from an article that was originally published in Signals, our quarterly summary of the cyber security landscape.