Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/27/2007
05:15 AM
50%
50%

What Imus Can Teach IT

Shock jock's implosion illustrates several lessons about the prevention and containment of data breaches

Radio personality Don Imus' recent breach of taste has a lot in common with data security breaches. The loss of reputation and costs incurred following Imus’ word-spew illustrate how important it is to understand exactly what happened, who is affected, and how to respond properly to victims of a breach.

With that in mind, consider these 10 important lessons to be learned from the Imus experience:

1. It takes only one breach to make people unhappy and get you fired -- or, in the case of a company, lose lots of good customers. Some 20 percent of data-breach victims cut ties with institutions that compromised their privacy, according to one study we recently conducted.

2. Never underestimate the cost of a breach. Not only did Imus lose his job, but the lost sponsors and reparations to the victims could cost millions. According to Ponemon Institute's 2007 Cost of a Data Breach study, breaches can cost companies millions of dollars per incident in direct costs, such as victim notification. The significant costs involved should inspire you to have controls in place to prevent leaks. On average, the cost of a data breach is $182 per compromised record, a 31 percent increase over 2005. Total costs for each company in the study ranged from less than $1 million to more than $22 million.

3. Reputations suffer and trustworthiness declines following a breach. In the days following his remarks, Imus struggled to regain his reputation and popularity to no avail. The same holds true for many organizations that suffer a breach.

We conduct an annual study to determine which companies in a variety of industries are most trusted by consumers. In our 2007 Most Trusted Companies study we decided to track the impact a data breach can have on a company's perceived trustworthiness. There were 12 companies in our study that had data breaches that required them by law to notify consumers and employees that sensitive information was lost or stolen in the period following the 2006 study. In 2006, these 12 companies had aggregate trust scores that were 1 percent above the average score. Following the breach, their 2007 scores were 23 percent below the aggregate most trusted list average.

4. Communication should be in proportion to the incident. Over-apologizing or unnecessary notification will cause confusion as to the seriousness of the breach, and diminish the integrity of the organization. In the case of a data breach, organizations should make sure they understand who the victims are and what personally identifiable information is risk. Notifying individuals who are not at risk will cause unnecessary worry and can cause more harm to the organization's reputation.

5. Public scrutiny -- not to mention laws and regulations -- should make you sensitive to how you respond. Lawsuits for negligent handling of personal information are becoming more common. Many states have passed laws requiring companies to inform their customers if their personal information has been stolen or possibly compromised. And some states have passed laws allowing individuals to sue organizations that fail to safeguard their private data. Federal statutes and regulations also permit government agencies to sue organizations over data breaches and other failures.

6. A loyal customer or audience does not necessarily protect your reputation when a breach occurs. Imus was fired while raising money for children's charities. Similarly, if you think you have established goodwill and loyalty with your customers through your privacy policies and commitments to safeguard sensitive information, think again. According to our research, companies that report a data breach are more than four times as likely to experience customer churn if they fail to communicate to the victim in a clear, consistent, and timely fashion.

7. The media can either help reduce the impact of a breach, or create the perception that a breach is worse than it really is. For days following his remarks, Imus was the top story in both print and broadcast media. In the event of a breach, it is important to conduct an investigation as quickly as possible to understand who has been affected and how breach victims may be at risk. As soon as the investigation is completed, victims should be notified and provided assistance to protect their assets. By completing these steps, the organization will be able to have a more positive and substantive response to media inquiries.

8. Have a plan that includes as many possible contingencies as you can imagine. Nothing is worse than being unprepared to take appropriate action to reduce the damage to victims and prevent the breach from becoming worse. Then make sure everyone involved understands the plan before it is needed and follows the plan in the event of a breach.

9. Executive commitment is important. As attention to his remarks escalated, Imus lost the support of management and his colleagues. In an organization, leadership should make it clear they support efforts to investigate and remediate the breach. This will help ensure that those within an organization work as a team to address the problems as quickly and efficiently as possible.

10. Be sensitive to your operating environment and have controls in place to reduce the likelihood of a breach. Even though he was a shock jock and appreciated for his humor, Imus was vulnerable because of his visibility in the media. Organizations that have high profiles, especially in highly regulated industries, need to take steps to know the types of information they are collecting, storing, and using, and what the risks would be if the data were lost or stolen.

As with Imus, a data breach involves a wide range of cost factors, including legal, investigative, and administrative expenses, stock performance, customer defections, opportunity loss, and reputation management. If there's a single lesson here, it's be prepared, both to avoid a breach in the first place, and to respond appropriately if one should occur.

— Larry Ponemon is founder and CEO of Ponemon Institute LLC . Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...