In analyzing the top breaches over the past few years, executives make a set of common mistakes, which is surprising given that so many companies, often led by otherwise effective leaders, fail to learn from the botched responses and mishandled situations of the companies that were breached before them.
Here are the missteps executives make time and again, and advice for avoiding these pitfalls:
The longer companies wait to notify their customers, the greater the chance criminals will be able to use stolen data. While Equifax got blasted for taking nearly six weeks to disclose its breach, at least it didn’t wait until the stolen data was being sold on the dark web to go public with the news. Target didn’t comment on their breach until nearly a week after it was reported by security blogger Brian Krebs. More recently, it came to light that the SEC waited a full year before disclosing information
Executives today must operate under the assumption that they will experience a cyber incident that will require them to notify their customers, investors, and regulators. The immediate emotional response may be to wait until all the details are available and carefully messaged, but it is negligent to withhold information that could help people keep their data and finances safe. The best way to assure executives and their communications teams respond to breaches quickly is to have a well-oiled incident response plan in place. It appears Whole Foods had a plan in place as the company reported its most recent breach five days after detection.
A federal breach notification law mandating quicker response times would also better serve citizens who are now at the mercy of a patchwork of state laws that have limits ranging from 15 days to 90 days if they have limits at all. By contrast, an EU law taking effect next year as part of the incoming GDPR (General Data Protection Regulation) gives companies 72 hours.
Poor customer service
In 2016, Yahoo CEO Marissa Mayer failed to take a basic step that could have quickly protected customers whose accounts were exposed in a breach that occurred two years prior: automatically reset all user passwords. This would have immediately blocked criminals from getting into those accounts, but Mayer reportedly declined to do it because it would have forced all users to create new passwords, and she was worried that they would be annoyed and drop Yahoo.
After its breach, Equifax originally offered customers free credit reporting for one year if they waived their rights to sue. In addition, Equifax tried to profit from its mistake by charging people who wanted to freeze their reports as an added layer of protection. The company soon dropped this condition, extended free credit reporting for life and waived the credit freeze fees, but by that time, the reputational damage had been done.
Not being transparent
Being open in the aftermath of a breach is the thing executives are able to control — but more often than not, they evade the truth. Transparency is a cornerstone of rebuilding trust in the brand.
In spite of its many other breach response blunders, Equifax was fairly diligent in keeping the public updated on information related to its breach. In addition to distributing a press release and posting a video to their site on Sept. 7, Equifax created a dedicated website for breach-related news that was updated five times in the week following. However, on multiple occasions, the company’s official Twitter account directed customers to a fake phishing site. The official site had multiple technical difficulties, and when it was available, the site required people to verify their identity with the last six digits of their social security numbers — providing precisely the kind of personal information that was hacked in the first place.
Sony handled its PlayStation Network (PSN) breach even worse. After discovering the network intrusion, Sony shut it down but didn’t say anything about being breached until two days later. Details about the incident trickled out haphazardly over the following weeks and advice to customers was muddled.
It’s okay to say “we don’t know at this time.” Being honest and authentic, and providing clear and frequent updates, will earn trust from customers who just want to be leveled with.
Failing to accept accountability
A massive breach is not an individual error or a technology failure — it’s an organizational breakdown that is the responsibility of the top executive. It might not be a surprise that top executives don’t typically see it that way. A study from risk management firm Stroz Friedberg found that just 45% of senior leaders believe they are responsible for protecting their companies against cyber attacks.
It took 11 days after the Sony breach for any executives to apologize for the breach and 26 days for Sony Chairman Howard Stringer to do so publicly. Equifax CEO Richard Smith initially showed humility and accountability in the immediate aftermath of the company’s breach, saying in a video: “I deeply regret this incident and I apologize to every affected consumer and all of our partners.” But after he was forced to resign, Smith blamed an employee for failing to take basic security measures in his testimony before a U.S. House committee.