Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2021
10:00 AM
James Pleger
James Pleger
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Ways Vendors Can Inspire Customer Trust Amid Breaches

As customers rely more on cloud storage and remote workforces, the probability of a breach increases.

Security breaches are a fact of life. Despite adhering to best practices and having all of the right technology and safeguards in place, no company (no matter how preeminent) is ever totally immune. 

As organizations increasingly rely on digital data, store more of said data in the cloud, and shift to an all-remote workforce, opportunities for breaches are only growing. Given this, it's no wonder the cybersecurity market is projected to reach a staggering $248 billion by 2023. 

Related Content:

Breach Data Shows Attackers Switched Gears in 2020

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: DDoS's Evolution Doesn't Require a Security Evolution

Although companies can't control whether they'll ever experience a breach, they do have control over how it's handled. By keeping the following strategies in mind, companies can foster customer trust and loyalty, even amidst security breaches.

Be Transparent
Transparency is integral to trust. Take it from the Dalai Lama, who famously stated, "A lack of transparency results in distrust and a deep sense of insecurity." This couldn't be more true when it comes to how companies alert their customers to — and handle — security breaches. When vetting a security vendor, there's no bigger red flag than a company that previously has tried to cover up or hide the details of a breach. It signals a major cultural issue regarding integrity within the organization and dismantles user trust.

When organizations experience a breach, it's vital that they quickly disclose to customers what has happened, how it happened, and exactly how it will affect them. This should be done in a proactive and timely manner — no customer should ever have to wonder or do their own research in an attempt to figure out what happened. As a follow-up, customers should also be briefed on what the vendor plans to do to avoid similar incidents in the future. 

Be On the Ball
It's critical that companies are on the ball and constantly working to identify breaches as they happen. Historically, companies who have found breaches faster, and addressed them with transparency, have fared far better than their counterparts who were late to the game.

Once customers lose confidence in a company's ability to stay on top of security, it can be hard to regain that trust. Being timely when it comes to uncovering breaches gives companies the opportunity to reduce the amount of damage done and prove to customers that they're always looking out for them.

Vendors should have a comprehensive incident response plan that is clearly communicated to customers, consisting of guidelines on how they handle breaches. Organizations that go above and beyond may even opt to include this as an easily accessible, public document on their website for all to see. 

Follow Best Practices
So, how can companies stay on the ball? Following a set of best practices isn't completely resistant to failure, but it's a basic standard that every business should have in place. This includes everything from prioritizing cyber hygiene, to adhering to industry-standard best practices, and ensuring your environment can be independently certified or accredited (which should come easily if you are doing the first two).

More generally, security should be integrated into everything a company does. Having security as a separate entity within an organization (with different objectives and goals) is almost always harmful. Vendors that handle breaches successfully and maintain customer trust are those in which security isn't siloed: It's woven into the culture and, therefore, everything they do. For example, all employees should feel confident identifying and bringing up security issues, and security should be embedded into software development processes. And there are plenty more best practices on top of those. 

Some customer organizations today are taking this a step further by appointing a designated privacy or data security officer. If people hear about security events that should've been easily mitigated but weren't, it reflects poorly on the vendor. This can best be avoided by following best practices.

By being transparent, staying on the ball to identify threats early, and following best practices, vendors have the best shot at earning and maintaining trust throughout the customer life cycle.

James Pleger is currently the manager for the SpecOps team at Sumo Logic. He is responsible for the company's efforts on hunting, threat intelligence and generally helping customers improve their security posture. James has been in the industry for over 15 years and has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...