What do a CISO handling a data breach and a 10-year-old who just accidentally broke his neighbor’s window have in common? Each has a difficult choice about what to communicate next, and how. As more and more enterprise leaders are learning, a failure to communicate honestly and own your mistakes could come back to bite you later.
Uber knows this all too well.
Last October the U.S. Department of Justice convicted Joe Sullivan, the company’s former chief of security, for lying about a 2016 hack where thieves stole data on approximately 57 million customers. Sullivan orchestrated a $100,000 bitcoin payment to keep the hackers quiet, subsequently hiding the hack from external stakeholders and Uber’s new management, the Department said.
The hackers pleaded guilty in 2019, and at the time of this writing Sullivan is awaiting sentencing that could see him face up to eight years in jail.
Communicate early and often
While few companies go as far as a criminal cover-up, many will try to duck the consequences. It’s a dangerous game, says Jon Collins, VP of research at analyst company GigaOm.
The cover-up is also a risk. And the way that you mitigate against it, from a business perspective, is to ’fess up really quickly.
“Every risk is a business risk,” he says, adding that cover-ups show a lack of joined-up thinking. “That happens because they’re seeing it from a security perspective and not from a risk perspective, but the cover-up is also a risk. And the way that you mitigate against it, from a business perspective, is to ’fess up really quickly.”
Sometimes, tardy and unclear communication stems from a lack of preparedness. At a Wall Street Journal event in late November, Todd McKinnon, co-founder and chief executive of identity authentication company Okta, voiced regret over its handling of a cybersecurity incident in 2022.
The attack on one of Okta’s vendors, Sitel, occurred in January, but Okta only admitted the incident in March after the Lapsus$ hacking group went public with the details on its own Telegram account, including screenshots of compromised systems.
Okta’s chief security officer David Bradbury (no relation to this reporter) responded by stating that customers did not need to take any corrective action. However, Lapsus$ continued to taunt the company online by warning that its customers were the target, and customers went public with their frustration at the lack of clarity (or, in some cases, at the lack of any direct communication from Okta at all).
Okta then revealed that 366 customers might have been affected by the attack, and Bradbury pointed the finger at Sitel. “I am greatly disappointed by the long period of time that transpired between our initial notification to Sitel in January and the issuance of the complete investigation report just hours ago,” he reportedly said, but he also later admitted that the company should have moved more quickly to communicate after getting that report.
“It’s hard to be upfront about things, especially when you don’t have all of the information,” says Jenai Marinkovic, vCISO at Tiro Security and member of ISACA’s Emerging Trends Working Group. But that shouldn’t stop companies from assessing which information is reliable enough to share and being transparent with it, even if they must fill in the blanks later as their investigation progresses. Just explain what you initially know, and communicate what you’re going to do next, she advises. “The world tends to be pretty forgiving if you’re upfront about things, so getting the right message out as quickly as possible as soon as you can is key,”
Robust communication relies on a robust risk assessment
But once you’ve resolved to communicate a cybersecurity incident rather than ignore it or sweep it under the carpet, how does that confession work? Begin with a solid risk assessment, says Marinkovic.
Your risk assessment should have identified the most likely types of breach, threat actors, and processes that it impacts, along with all of the downstream people that are impacted.
Communication is an intrinsic part of a broader cyber-incident response playbook that should be tailored to cope with different threats. You might react and communicate differently in a DDoS or ransomware attack than in a theft-of-information situation that puts customers at financial risk.
“Your risk assessment should have identified the most likely types of breach, threat actors, and processes that it impacts, along with all of the downstream people that are impacted,” she says. “So if you do a risk assessment appropriately, that should feed into your communications plan.”
From there, you need to communicate only accurate information. That means walking a fine line between communicating early so that you appear in control of the situation while also being sure of your facts, says Paul Watts, distinguished analyst at the Information Security Forum.
“That can sometimes be an issue if you think you need to get that preemptive strike out, and then you realize that the circumstances of the incident are either better or worse, meaning that you’ve got to reposition yourself,” he says.
Nothing destroys confidence more quickly during a data breach than inconsistent information. UK telecommunications company TalkTalk drew criticism after publishing apparently contradictory statements over customer data theft in 2015, which had UK police scratching their heads along with customers.
Consistent communication means talking closely and frequently with engineers and IT staff. They’ll help you sort known facts from developing theories so that you can communicate only what you’re certain of.
Bridging the language gap
Talking with engineers is a good example of where a multi-disciplinary approach is vital, says Marinkovic. Translating engineer-ese into something that customers can understand might be difficult for internal communications professionals without a technical background. It takes persistent, incisive questioning to harvest relevant facts that can be relayed to regulators and affected stakeholders.
“Your GRC [governance, risk, and compliance] team understands controls and tends to be more experienced at translating tech for the business,” she says. They should be in the room when crafting external communications strategies.
Watch for leaks
Ensuring a single external communication channel is critical, says Watts, who warns organizations to beware of internal leaks. It is vital to train employees in what they can and cannot say during an incident. “Otherwise that creates opportunities for performance and accidental disclosure, which can then cut across the grain of a formal communication strategy that you may have,” he warns.
Inappropriate communication doesn’t just mean conversations with journalists. If a company’s attacker has a Twitter account, it might be tempting for intrigued employees to follow them from a personal account. Even that can increase the organization’s attack surface and create problems for the internal security team, Marinkovic says.
Victims of a data breach often bring in third-party forensics experts to help trace and fix the problem. Sourcing professional communicators versed in cyber-crisis scenarios can be just as valuable, say experts.
“Engaging the right PR firm helps you to put that message in a way that’s authentic,” Marinkovic says. No one wants to hear how important their data is to you after a thief just plastered it all over the dark web. Instead, a clear, businesslike account of what happened and what you’re doing to fix it is the best way forward—and a little genuine humility wouldn’t hurt.