Crisis calls: three rules when a breach comes knocking

Another week goes by and yet another big breach. This time, it is the turn of Prestige Software, a hotel reservation platform used by Hotels.com, Booking.com and Expedia. The software company left data belonging to millions of guests exposed on a misconfigured Amazon Web Services (AWS) S3 bucket.

With these records exposing sensitive and personally identifiable information (PII), including names, email addresses, national ID numbers, phone numbers, reservation information and credit card details, including CVV and expiration date… phew… security teams are left to fix the holes.

But what can be a bigger, long-term problem is repairing an organisation’s reputation. Crisis management is essential in ensuring a business can continue to trade on its status, even if that reputation has suffered a setback.

Outside fixing infrastructure and protecting against future incursions, what do companies and CISOs need to do to repair brand damage? And how best can you communicate this – internally and externally?

1 Get the sticky plaster down – fast
Elena Davidson, CEO at PR firm Liberty Communications, said that in addition to alerting the ICO within 72 hours of the incident’s discovery, you need to alert customers and issue a media statement: “The media are an important, trusted source of information to the public. Ensuring they are equipped with the right information to report on the incident knowledgeably is key.

“The first step is a sensitively, well-crafted statement issued quickly from the CEO. Ideally, work on this should have started well before the incident occurs. Most companies now have a crisis comms plan in place and these are critical to help you stay in control, show concern about customers’ privacy and outline your commitment to helping prevent future attacks.”

2 Crash test crisis: prepare to fail
Chris Bates, CISO at SentinelOne, told SC Media UK that managing a crisis starts before a crisis hits. It is essential to have a predefined plan: “Bring in experts in incident response and crisis management as soon as possible. It is imperative to communicate the situation promptly and openly with the board, employees, customers and the media.

“Organisations that react quickly, honestly and transparently usually receive the support of all these factions, and the mistakes (if there were any) are often quickly forgiven.”

3 Assess your risk AND your customers’ risk
The CEO and C-level executives need to understand the nature of the threats the organisation faces. According to Bates, there are plenty of tools available for risk assessment, including using industry benchmarks, government and law enforcement agencies recommendations and threat intelligence feeds. “The risk assessment should also include regulatory and commercial risks such as reputation loss due to cyber attack.”

Georgina Blizzard, co-founder of The PR Network, told SC Media UK that aside from the embarrassment, and the necessary review of any failings, any cybersecurity or indeed physical security provider that is caught napping will have to work hard to restore trust.

In B2B, businesses tend to have longer memories than consumers. Then there’s the customers’ reputations that the breach might have compromised: “In the case of the Prestige software breach, if I am a Booking.com customer and my credit card details are out in the open and being exploited, there is a strong risk of damage to my reputation.”

“I did not create the issue, but I may have to solve it. For example, explaining fraudulent purchases to my credit card provider and ensuring there is no impact on my credit rating. Preparing for this largely comes down to an increased awareness of the risks associated with new methods of buying goods and maintaining a healthy dose of caution.”