What should you say if you have a data breach? Catch up with Jason Nurse at Sophos Evolve

Dr Jason R.C. Nurse is an Associate Professor in Cyber Security at the University of Kent, and a Visiting Academic at the University of Oxford. His research focuses on the socio-technical aspects of cyber security, privacy and trust.

Jason has channelled years of research into a concise, evidence-led framework that outlines the best ways to deal with the potential relationship damage that comes hand in hand with a cyberattack. (The full research paper, co-authored with Richard Knight, can be accessed via arXiv.org.)

As part of the Sophos Evolve 2020 event, Jason joined Doug Aamoth, Sophos product marketing director, and Sara Eberle, senior director of public relations, to talk about his work.

If you missed the live session, watch the recording, and check out our key takeaways below:

Preparation is key

There’s a lot of focus on the technical response to a cyberattack, such and shoring up firewalls and improving endpoint protection, but when it comes to responding to a data breach, it’s also important to consider what you say publicly, and how you say it.

A cyberattack is always going to be an unwelcome surprise. But with the right preparations and a well-considered, helpful response, you can maintain the trust you’ve built with your customers.

An ounce of prevention, a pound of cure

Jason made it clear that putting the work in before a data breach occurs is crucial, but that many organizations overlook this preparatory stage.

To put out an effective response after a breach, you need to know in advance who your spokespeople will be, where your customers are based, which regulations apply, and how you’re going to talk to the public.

Your organisation’s list of spokespeople should be as short as possible – ideally just one or two people – so your message stays consistent and you don’t cause confusion.

It’s worth preparing draft responses for the media, shareholders, and customers, so you’re not scrambling for a statement if a breach occurs. This includes having a set of responses for a range of security incidents.

Jason has seen great success in organizations that hold regular rehearsals, which ensure everyone has a tight grasp of their responsibilities – including who they’re allowed to talk to and what they’re allowed to talk about.

To disclose, or not to disclose?

Honesty remains the best policy, unless the law requires you to keep a breach under wraps.

If you choose not to disclose a breach publicly, there’s every chance that it will come to light later on. Always remember that people may find your organisation’s data in underground criminal markets.

Don’t play the victim

When you’re hit by a cyberattack it can be tempting to say you are the victim, because technically you are a victim.

But that story isn’t going to sit well with many people. As Jason explained: when people choose to trust you with their data, you’re taking on the responsibility to protect that information.

Make sure it’s clear that you understand the real-world impacts of a breach, and that you’re taking the breach seriously.

Jason said it’s hugely important to take responsibility and clearly outline what you plan to do next. Make it clear how are you going to address the breach and how you intend to to reduce its impact as far as you can.

This could include highlighting extra security measures your organisation will be adding, or, simpler still, taking the opportunity to remind customers to set more robust passwords.

Be fast, clear and factual

Here are some of Jason and Sara’s top tips for ensuring your response to a potential data breach is comprehensive and reassuring:

  • Respond quickly. You only have one opportunity to make a first impression. If you’re properly prepared, it’s far easier to give a prompt response that’s also measured and accurate.
  • Deliver a clear message. Don’t use jargon when you address your customers and shareholders. Direct, empathetic communication is far more effective.
  • Use a single source. Stories can quickly get muddled across news sites and social media. With a single, up-to-date statement direct from your organization’s CEO, or someone of a similar executive status, you can get your message across clearly.
  • Take responsibility. Shareholders, customers and the media don’t take kindly to organisations that won’t own up to their mistakes.
  • Share the lessons. Setting out a clear action plan will go a long way to reassure your shareholders and customers, and to preserve the relationships you’ve worked so hard to build.

Want to dive deeper?

If you’re interested into delving deeper into Jason’s framework and how it could help your organization prepare for a potential breach, you can access the full research paper via arXiv.org.