I’ve noticed some pretty worrying trends lately in the way organisations handle security incidents. There’s actually two discrete things here and I want to call them out separately then talk about a recent positive experience:
Firstly, there’s the coverup of data breaches. There’s really no way to sugar-coat that term because that’s precisely what’s happening: an organisation has a breach, they know about it but they elect not to notify impacted customers. No, they don’t always have a legal obligation to do so but yes, their customers are (understandably) cranky if they don’t.
Secondly, there’s misleading behaviour for the sole purpose of minimising the damage to the organisation. This is often compromised of downplaying the risk, not disclosing the extent of the incident or in some cases, downright lying about what data was actually impacted.
In both these cases, I imagine there are many people in suits in meeting rooms and on phone calls from the legal and PR departments. (Actually, I know there are because I know technical people who’ve been in those meetings palming their faces!) The priority in these cases is obviously protecting the business rather than informing the customer and clearly, I (and I dare day most people) take a pretty dim view of that. But I also don’t think that’s the entire story either.
For most companies, data breaches are foreign territory. They haven’t experienced them before nor have they ever considered how they’d deal with one if it happened. I got to thinking about this just today when reading about how Avanti Markets disclosed their incident and in particular, this statement by Mathew Schwartz, the journalist who wrote the piece:
“The only way to effectively respond to a breach remains planning and practicing ahead”
It’s worth a glance Avanti’s Data Incident FAQ’s page if for no other reason than to get a sense of how much effort they’ve clearly invested into the preparation. They’re detailed yet also clear and concise. It feels transparent and provides actionable steps that have been updated as new information has come to light. There’s a large notice on their website (it’s “above the fold” too) plus multiple tweets advising users of the incident. It’s immediately clear that Avanti are doing their utmost to inform their customers.
Avanti is a kiosk manufacturer; they build vending machines and snack stands. They are not a tech company plugged into the security ecosystem like many of the online brands we all know. Yet here they are dealing with this incident in a highly professional manner and whilst they’ve had external help in doing so (they brought in a security firm very early), clearly the will has been there to handle this responsibly.
Just as organisations run drills for disaster recovery, practicing for a data breach makes a lot of sense. Both scenarios are high pressure and high stakes and preparation can make all the difference. Practice breach response because at the rate we’re seeing these incidents occur, there’s a good chance that’ll come in very useful one day.