Jeanswest: Protecting the brand

Gartner ITL Systems Security and Risk team research director, Rob McMillan

In the same survey, 55 per cent of all respondents either had no breach disclosure process in place or, worse, hadn’t even thought about it.

“What that tells is that somewhere between 43 and 55 per cent of respondents know they could have a breach but have done no planning around that possibility,” he says.

The single biggest lesson for CIOs, therefore, is to start making plans now for what to do when a breach occurs.

“Don’t ignore the possibility of something going wrong,” McMillan says.

“If you know your organisation is at risk but choose to do nothing, it is going to be very difficult to explain to customers, shareholders and regulators — or to a court.”

The first two steps of any data breach plan are pretty straightforward, McMillan says. First, identify the source of the breach. Second, re-establish the integrity of your IT and communications systems, because you will rely on them greatly in the days to come. After that, mitigation plans depend very much on the type of incident that occurs.

McMillan recommends CIOs formulate several plans to respond to different situations. If the breach occurred through a Web-based application, for example, you’ll want to fix the application, ascertain exactly what data was compromised and advise those affected — most likely to tell them to monitor their credit reference files closely.

On the other hand, if no personally identifying information has been compromised and the only thing stolen is intellectual property, chances are there is an insurance claim to get underway. If there are signs of illegal activity, such as somebody using your website as drop site for illegal material, it’s probably time to call the police.

As Jeanswest’s example shows, if you do have to alert other parties that your systems have been compromised, the best policy is to be prompt and truthful with your messages.

“Be honest with them,” McMillan says.

“Don’t underplay it, but don’t overplay it either. Tell people exactly what happened and give them some idea of what they need to do to protect themselves.”

When it comes to contacting affected parties, McMillan advises organisations to take a cue from well-run rail services, like the London Underground, which inform people when and why a train is running late.

“People tend to deal with bad news better if they’re told about it honestly,” McMillan says.

“When there’s a sensible reason as to why an event happened, people are more likely to understand and accept it.”

It also helps to offer assistance in whatever way you can. Here, McMillan cites the case of breaches in the US where organisations have offered to pay for extra monitoring of credit reference files.

“What you don’t want is for the first time a customer learns about the problem to be when something bad happens to them,” he says.

“You also want to avoid getting a reputation for being hard to reach or avoiding questions after the incident has occurred.”

According to the UNSW Cyberspace Law and Policy Centre’s Vaile, the recent Sony PlayStation Network hack is a prime example of what not to do. When users first had trouble signing in to the service the company offered no explanation why, then waited five days before coming clean with customers about what caused the outage.

“For a long time Sony failed to pass on information and be as frank as possible, and that has left people thinking the company can’t be trusted when something goes wrong,” Vaile says.

Speaking with the privacy commissioner is another option that organisations should consider. In Australia, voluntary disclosure breach guidelines were issued by the former Privacy Commissioner which, while not mandatory, still provide a useful starting point for any organisation that suffers a breach.

“There might not be a mandatory disclosure scheme in Australia, but you can definitely help to limit damage to your brand by being seen to work co-operatively with the authorities,” McMillan says.

“Remember, it’s not just about the direct effect a breach has on your business, your shareholders and your customers — it’s also about the long term effects this kind of incident can have on your brand,” he says.

“If you handle a breach promptly and correctly, hopefully your customers will forget about it quickly. But handle it wrongly, and your brand could have a ‘whiff’ about it for years to come.”

Follow CIO Australia on Twitter: @CIO_Australia

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email CIO
• Follow CIO on twitter

• Share
  Share this article1

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark