You probably received an email from LinkedIn recently about its massive security breach. Hackers obtained up to 117 million user names and passwords and listed them for sale on a dark website. The breach was connected to a 2012 hacking. LinkedIn admitted in 2012 that 6.5 million user names and passwords were at risk, but now it realizes that breach was far more extensive than previously thought. The news highlights the difficulty companies face when responding to security breaches.
In February, employees at Hollywood Presbyterian Medical Center in Los Angeles could not access their network due to a ransomware attack. Hackers demanded the hospital pay $17,000 in Bitcoins to release the files. The hospital opted to pay the ransom to free its files. (In this case, the hackers unblocked the files after receiving the ransom payment; sometimes they don’t.)
Jeffrey I. Ziplow, a security expert at Blum Shapiro Consulting, calls ransomware a pandemic. “Organizations can no longer believe “it can’t happen to me,” because it can and most likely will,” he says. Even small businesses and not-for-profit organizations are targets of hackers who freeze computer files and then demand a ransom payment to free the files. The ransom amount is often relatively small. Businesses are more likely to pay smaller ransom demands. A hacker froze the files on the personal laptop of my 17-year-old granddaughter, and demanded a $17 ransom. Her mother found a computer expert to free the files. The fix cost more than the $17 ransom fee.
What Crisis Communications Plan?
These days all organizations must prepare for a security breach and a ransom demand. Many organizations lack proper computer security and a communications plan for responding to ransomware and other types of security threats.
A survey conducted this year by MIT Technology Review Custom in partnership with FireEye and Hewlett Packard Enterprise Security Services revealed that 44 percent of businesses leaders said their organization didn’t have a cybersecurity crisis-communication plan. Another 15 percent said they didn’t know.
Many organizations use a plan designed for other types of emergencies, such as a fire or natural disaster. That’s a mistake. Those types plan don’t address the complexities and unique issues of data security. Security breaches are often discovered by outsiders, which catches the organization off guard. In addition, they can remain undetected for long periods of time, sometimes even years, which can further damage an organization’s reputation.
“If there’s a fire in the building, there are one or two ways out, but in cyberspace, there are many different scenarios. You have to know what you might be facing,” Victor De Souza, vice president of global communications for FireEye Inc., told MIT Technology Review.
How to Handle Security Threats
A communications plan for security threats lays out clear protocols for what you expect to do, how you will respond, and how the public and stakeholders will be notified. .
Here are key crisis prevention and management recommendations for security threats:
• Back up all files on a remote server. Many services are available and aren’t terribly expensive. Also use a firewall and security software to protect your key computers. Use strong passwords to access servers and don’t reveal the passwords to outsiders.
• If a breach occurs, keep key stakeholders continuously informed. Without timely information, conjecture and rumor can spread. However, experts recommend against releasing all the details of a breach. “We typically would not communicate all the details of a breach to all employees,” Chris Leach, chief technologist for HPE Security Services, told MIT Technology Review. “We’ll only share enough to make sure they’re confident that we’re handling it, and that this is information they could, and should, share with their customers.”
• Involve top management in actions during the crisis and the preparation of the crisis communications plan. A breach is not an IT problem; it is a business problem. “If a breach is detected, key decision-makers must get to the table and start a fast, no-nonsense ‘what do we know’ session, urges Jeremiah McWilliams, senior communications strategist at Jackson Spalding. Decision-makers should include senior representatives from legal, HR, communications, operations, security, IT and all other relevant departments.
“This is a senior-level priority, and the crisis management team needs to reflect that,” McWilliams says. The team should ask the tough questions, get the facts and stay in constant contact as the situation evolves.
• Create a war room. A 24/7 hotline to a contact person or department handling inquires and a script responding to questions can ease the communication flow. Prioritize media queries.
• Monitor media and social media. Close monitoring of social media enables you to know when people say something that requires an immediate response. It also provides you the opportunity to communicate directly with customers and affected individuals in real time.
“Ideally, you should have a pre-approved message bank that can be used to respond to comments on social media, McWilliams writes in O’Dwyer’s. “Don’t just use boilerplate over and over — empower your social media team to use their judgment, with oversight from senior executives.:
Bottom Line: Data breaches remain an on-going threat. Ransomware, an especially insidious kind of data security breach, is spreading. Smaller businesses and even individuals are often targets. Businesses are wise to prepare crisis communications plan that specifically address those issues.
William J. Comcowich founded and served as CEO of CyberAlert LLC, the predecessor of Glean.info. He is currently serving as Interim CEO and member of the Board of Directors. Glean.info provides customized media monitoring, media measurement and analytics solutions across all types of traditional and social media.
