Click here to read Part 1, "What Do You Do When It Hits the Fan?" and Part 2, "What Will the Public Hear When You Say You've Been Breached?"
Even when cybersecurity investigations after an incident are ongoing and you won't have all the answers upfront, it's still important to communicate what you can as early as possible and as often as possible. Communication is integral to successful incident response and the endurance of a brand's reputation. The main reason it's important to divulge as much as possible as soon as possible is that brands can die after a security incident if a third party (such as the press or customers) was the first to break the news of the incident.
Even if you don't have all of the answers, it's better that any new information comes from your organization and not the press or third-party groups. Again, show empathy and ownership every step of the way. Keep anyone who is potentially affected — customers, vendors, third parties — updated on an ongoing basis about technical findings, results, and impact. Offer these people helpful and relevant resources and support.
What Happens After a Security Incident?
Information sharing can heal even the deepest wounds; companies that are advised (by lawyers or others) to keep as much as they can under lock and key are, frankly, short-sighted. Sharing threat data and information needs to happen in a clear and concise way. With whom and how this information is shared should be discussed and agreed upon with lawyers before any major incident occurs. Don't be afraid to share technical details and the steps your security team is taking to investigate and avoid these vulnerabilities in the future. You might consider sharing technical details such as events to look out for, CVEs, or indicators of compromise. These details are extremely valuable because they can help customers get ahead of the incident and take their own remediation steps.
Despite what it may feel like when you're in the trenches after a security incident, the world doesn't stop moving. If you've publicly announced a breach, other cyber adversaries don't magically disappear. There are still threats looming, possibly waiting to attack your infrastructure while it's at its weakest. After a security incident, it can be easy to forget about our defenses against everything else, but set up a system to make sure this doesn't happen. Ensure you're monitoring for additional nefarious activities. Make sure your team members get regular rest breaks (tired people make mistakes!). Nutrition and hydration matter just as much as sleep.
Second, it's important to note cyber adversaries typically don't break in, they log in. This is certainly the case for Lapsus$ and other similar threat groups. They can compromise credentials through a variety of methods and log in to most networks and applications. Security teams should shift their focus from purely preventing credential compromise to tracking user behavior so that anomalies can be quickly identified and acted upon. Thanks to modern tools that utilize machine learning or behavior analytics layers, there is little to no burden on the analyst.
Lastly, big breaches can take years to clean up and settle in court. The true cost of security and privacy failures is underreported — I'd venture to say it's probably double or triple what you read in the news — both in terms of cost and time to remediate. Although stock prices usually don't change after a breach, it is most certainly more difficult to sell a product or service for a year or so. Develop the right relationships — with sales, marketing, legal, comms, executives, and stakeholders — long before a cyberattack takes place.