We Take Your Security Seriously30th September 2019
"We take your security seriously", how many times do we see those words (or very similar) being stated? Almost always after a breach has occurred. To be honest, I'm sick and tired of hearing it. It's meaningless. I equate this to the words "it's not you, it's me" when one breaks a relationship with someone.
A disclaimer, I am in by no means an expert on this topic. This post is based off observations which I've had while working in the industry, interactions with others in the community as well as my own expectations as a user.
Actions Speak Louder Than Words
I'm a firm believer of this. Words are meaningless, unless something is actually done. None more so than when it comes to security. Your actions alone should mean that you shouldn't have to talk about them. They should just present themselves. I'm also a firm believer of providing guidance and advice to those who may need it. So here of some of my (personal) points which I would recommend companies follow to show that they take the security of their users seriously.
I can't stress this enough. Trying to hide it is only going to make things worse. In this day and age, with so many people involved, it will likely only be a matter of time before someone will leak what actually happened (if those who performed the breach haven't already) or suspicions will be raised by your users. Speculation often spreads very quickly through the InfoSec industry, and by nature many of those in the industry are inquisitive. What do you think that is going to result in?
When the truth does surface, you will have a bad situation only worse. Be open and honest about what happened. Sure it sucks, but it happens. Being open and honest shows that you care. Also there are now legal implications in many countries, for example GPDR, if you fail to inform the appropriate authorities of a breach, often within a specified time period (for GDPR this is 72 hours).
Learn From Mistakes
Let's face it, most companies are going to face some form of breach at some point in their lives. Often with so many things to secure, this shouldn't come as a surprise. It only takes a simple slip-up for this to happen. To me what is more important than the breach itself, is how the breach is handled. We all make mistakes, how we deal with those mistakes defines who we are. Take the failings, understand why they happened, and put appropriate safe guards in place to prevent the same or similar issues happening again. This follows on from the point of being open and honest, be clear what happened. Be clear on how you plan to address those issues or failings, and when you plan to do so (set appropriate timelines).
If you want a great example of this, take a look at Timehop's write-up of their breach: https://www.timehop.com/security. It was detailed (yours doesn't have to be so, but doing so just lends themselves further to being open and transparent), but not once did you see them mention "we take your security seriously". They didn't have to! By the very actions which they took, this showed that they do. That they care about your security. Compare this with the likes from Equifax or the TalkTalk breach.
Have a Plan
This is vital. Not having one is likely going to lead to panic if a breach occurs, and understandably so. I've been involved in an post incident before and there was panic. It lead to confusion, extra cost. People being called in when they didn't have to, not too sure who should be doing what. Having a plan for when this does happen will help avoid that panic. It will help identify who you need to involve, and when. It will help bring some structure to what will be an already chaotic time. It will also help ensure that you comply with appropriate laws where needed (such as notification of the breach in terms of GDPR). It will also help illustrate the point you care, that you have taken the time to deal with something of a seriousness nature. It also means that you response will be that much more structured, giving the details which you should as well as admitting when you don't have them. Otherwise you will have press statements such as the TalkTalk one with the "Russia-based Islamic jihadists".
Also just as important, practice those plans. Perform tabletop exercises. This helps ensure that you don't have any shortcomings in your plan. It also helps ensure that you plan is current and up to date. Regulations change, people come and go, so it is important to check whether your plan is current and has the appropriate people involved, deals appropriately with regulations, etc. "Practice makes perfect" comes to mind.
Let Me Get Back to You
The media and your users will naturally want answers. And immediately post breach you will likely not have those answers. So it's perfectly acceptable to admit that you don't know they answer, but will give one as soon as you know. This goes to the point of being open and transparent. Trying to make up an answer will likely end you up in a scenario such as the TalkTalk scenario above with the "Russia-based Islamic jihadists". Ensure that you refer to the appropriate people to get the appropriate answer. Don't have your CEO give technical answers (unless they absolutely are able to). Deffer to your technical team and give the answers when they have them. Ensure that your social media staff understand this. All too often I've seen them attempt to give an answer to a technical question, when it is apparent that they don't know the answer. This then results in the eventual Twitter pile-on. It will be perfectly acceptable for an answer along the lines of "I don't know the answer, but let me check with my technical team and I will get back to you".
This is especially true if you are a smaller organization and simply don't have the sufficient resources (funds as well as skills). If there's one thing that I've learnt about the InfoSec community, it is that there are always people willing to help those in need. If people offer to help, and you need it, take their offer. Also in several countries there are government organizations which may offer help. Here in the UK we have the NCSC, in the US there is the NIST. Also you have several CIRT or CERT teams which may be able to offer help or guidance as well.
Take Reported Vulnerabilities Seriously
Nothing screams that you take your users' security seriously than ignoring reported vulnerabilities, right? When someone reports a vulnerability to you, it is most likely they are simply trying to help and often expect little in return (a simple thank you perhaps). The very least you can do is investigate the reported issue and work with the reporter of the potential finding. Have an open and honest communication with them. Should this finding result in a breach, and you were found to have ignored a finding which resulted in the breach, there will be very little excuse to such a situation.
Breaches happen, this unfortunately is a reality we have to face in this day in age. The best that you as a company can do is prepare for this day to come (hopefully it doesn't), be open and honest, and don't panic. Remember that sometimes these things to happen to even the best of us, so it often is not an indication of a failing in your company. Even if it was, admit it and learn from it. I personally judge companies not so much on the breaches which they have, but rather how they deal with those breaches. Often one can see the overall security maturity of a company during these situations. And most importantly of all, stop saying "we take your security seriously"!