The list is growing of mega cyber breaches during which literally hundreds of millions of people have had their credit card data, social security numbers, emails and other personally identifiable information pilfered by an expanding, increasingly sophisticated army of hackers.
Companies are on hyper-alert, but too often they aren’t considering the whole spectrum of preparations necessary that will not only ward off attacks but, more important, deal with a breach once it has occurred. No company can always be three steps ahead of the hackers, but every company can offer a comprehensive and timely approach to making the situation right once their customers have been victimized. It’s as much about the resolution of the hack as it is about protection against it that will determine how that company is viewed post-breach by consumers, regulators, investors, employees and vendors.
Now that consumers have lived through myriad high-profile retail and financial institution breaches, they know the drill. They know that if they only hear about a breach months after it has occurred, then something isn’t right. Does that mean the company was unaware and the hackers were mucking around with the system for weeks undetected? Or does it mean that the company was aware of the breach and decided to use that time to stall, obfuscate or spin, as opposed to giving unsuspecting customers a heads-up?
Regulators also are insisting on better performance. In response to recent breaches, state attorneys general have been more active than ever in investigating corporate responses for adequacy and timeliness. The Federal Trade Commission, always the watchdog of the people when it comes to commerce, has been working on presumably tougher guidelines for data protection and preparedness, and the expectation of most cybersecurity experts is for the development of federal regulations that will consolidate the current patchwork of state notification and response requirements.
Are companies ready for the increased scrutiny?
Up until now, corporate breaches were considered the province of IT: Call in the chief information officer and let the techies go to work. Most of the money spent on cybersecurity to date has gone into system security, including prevention and detection of hackers. The corporate risk calculus: If guaranteed prevention is difficult, the company can at least limit the damage from a breach as fast as possible.
When a breach occurs, IT departments are focused on how to stop the data theft, how to close the breach and make sure there are no other vulnerabilities because of it. Yet, the damage from a breach extends so much further than simply the theft of the information; the impact can affect a company’s long-term reputation as a trusted organization.
A true cybersecurity plan has to be a coordinated, multidepartment blueprint that includes legal, human resources, public relations, investor relations, vendor relations and finance at a minimum to deal with the customers, media, regulators, investors, insurance companies and plaintiff lawyers that inevitably come calling. What will you say? When will you say it? Who will say it? Do you have arrangements for a call center that can be mobilized rapidly to handle a flood of concerned customers? Are you prepared to provide credit monitoring and/or identity restoration services, and do you have systems in place to do so? Do you have a detailed, current response plan that has been practiced by the people actually responsible? Will all the functions work in concert? All of these things matter when it comes to the ultimate hit on a company’s standing in the community.
While recent mega breaches are providing consumers, regulators and the media a graduate course on how breaches play out, the question remains whether companies are learning the necessary lessons from them.