Welcome to the SecAware blog

I spy with my beady eye ...

28 Jan 2020

NBlog Jan 28 - woe betide ...

.... any organization unfortunate enough to suffer a privacy breach today, of all days, being "Data Privacy Day". 

In the unlikely event that there are no new ones today, recent newsworthy breaches are liable to be trawled up and paraded across the media, again. 

I've been writing about preparing to deal with malware incidents all this month. Managing or controlling the publicity aspects is trickier than it may appear. Sony pulled a master stroke in getting its legal team to threaten action against journalists who continued to exploit the tittle-tattle disclosed in the Sony Pictures Entertainment breach five years ago - but that's not a universally applicable approach. Travelex did well to get basic, static web pages published quickly, plus a talking-heads video explanation/apology by the CEO ... but ask their retail customers whether they feel 'informed', while the promised restoration of services is patently taking longer than anyone (except perhaps the cybercrims behind the attack) wants.

Blend in the compliance aspects as well for good measure. I suspect British Airways and Marriott International, for instance, would have much preferred to take their corporal punishment under GDPR in private, rather than baring their bottoms on News At Ten.

There's a fine line between their being directly blamed for causing the incidents, and being blamed for failing to prevent them - a line which Public Relations teams might do well to consider. The real culprits here are the cunning VXers, hackers and cybercrims, rather than their targets. Defending all points at once is undoubtedly much tougher than exploiting one or more vulnerabilities. It's not a fair fight! Too bad: that's how it is ... but maybe it wouldn't hurt to explain that.

By the way, the issues multiply when you take into account the wide range of people and organizations who want to know and/or should be kept informed. Take employees, for instance: when the screens go dark in any IT-enabled organization, workers are left wandering and wondering. What can management say to explain the situation and reassure people? How can they even get their calming messages out if the comms are down? Same thing with suppliers, customers, partners, owners and authorities. This is where preparing for serious malware incidents makes good business sense. It sure beats leaving them all wandering and wondering!

(Some) IT, comms and information services are bound to degrade in and following an incident, but it takes deliberate effort to ensure they degrade gracefully, with dignity, rather than collapsing into a blubbering, smouldering heap.

Meanwhile, deep down in the engine room, are the IT pros frantically running in circles tearing their remaining hair out, or systematically following a tried and tested process for halting the incident, maintaining resilient services, restoring others and gathering the forensic evidence that might one day be necessary to prosecute the offenders? Again, preparation is key, especially when "time is of the essence" (which is always!).

If the lights go out before anyone has thought to get a torch, good luck with your fumbling.

No comments:

Post a Comment