In the world of security, there is often a significant difference between perceived reality and what is actually happening. On a near daily basis we are inundated with stories about cyberattacks, and most people have no problem rattling off a list of companies that were compromised in the past year. However, it would be significantly more difficult for them to recall exactly how these organizations and their customers were impacted by these breaches.
That means even if a breach doesn’t directly cost your organization a ton of money or expose customers’ sensitive information, it can still create significant problems. You can’t expect the general public to dig into the story or process the details like a security expert.
After hackers claiming allegiance to the Islamic State took control of the U.S. military’s Central Command social media accounts, we received countless questions about whether we suspected sensitive information had been exposed, if U.S. soldiers and civilians were in danger, etc. Of course, there’s a significant difference between a massive data breach and a case of cyber-vandalism. As Peter Singer, a strategist and analyst with the New American Foundation in Washington, put it, “Let’s remember this is a social media account. This is not a military command and control network. This is not a network that moves classified or even non-classified internal information back and forth.”
But many people will not make that distinction. A breach, no matter how insignificant, will simply register as a “breach.” And even for those who do understand the nuances of a breach, a minor slip up can rightfully cause concern that security best practices aren’t being followed in other (and perhaps more critical) areas.
A more high-level example of this line of thinking can be seen in the recent case of the White House fence jumper. Fortunately the attack was not successful, but significant damage was done to the Secret Service’s reputation. The incident rightly caused the public to doubt their capabilities.
So, what does this mean for you?
It means that the public’s perception of security within your organization can be just as important as reality, and it’s your job to manage that perception. I’ll be the first to admit that it’s impossible to protect your entire network – you have to identify your critical assets and ensure you’re truly doing everything in your power to defend them. But when you’re taking stock of those critical assets, remember that it’s not just credit card numbers, social security numbers, etc. – it’s anything that could impact your reputation. Your Twitter account matters. Your homepage matters. Your test servers matter (as proved by the very public Healthcare.gov breach).
If a breach does occur, by being forthcoming with information and doing everything in your power to help those who were affected, you can hopefully repair some of the damage on a reputational level. Anthem is a great example of this. They came clean about their breach right away, and they discovered and reported it themselves. They didn’t wait for someone else to find it for them. This went a long way in restoring their credibility.
I’d be willing to bet Anthem had a solid incident response plan – being clear and forthcoming at the time of a breach is a lot easier if you’ve prepared for such an event. Who’s responsible for communicating with the media, customers, employees, and stockholders? Who’s going to handle your forensics and security investigation?
These aren’t issues you want to start fumbling through at the time of a crisis. If you haven’t already, establish your internal incident response team. It should include communications, legal, security, and the executive team, plus a few others depending on the nature of your business. This isn’t a plan the security team should pull together in their own little bubble – get buy-in from all those key players beforehand, and it will be easier to mobilize the troops once the moment of truth is upon you.
Infosec professionals are often analytical by nature, and it can be easy to get bogged down in the technical details, but it’s a mistake to ignore the human side of security. While you’re coming up with creative solutions to keep your critical business assets, customers and employees safe, don’t forget about your reputation. Perception is just as important as reality.