FieldHouse’s cyber team took a field trip to the US revolving around the RSA Conference (more on that later). Before the vendor fiesta got underway, we got in a solid couple of days of security learnings at BSides San Francisco, a community-run event organised by and for infosecurity professionals.
Geared more towards security researchers, engineers and analysts, BSides is great for an insight of what is happening on the cyber security front line. A panel on disclosing security incidents was particularly enlightening on how security professionals view and interact with comms teams.
The panel was under Chatham House rules, so I can’t tell you who said what. However, I can tell you that representatives of a streaming service, tech startup and cyber security company shared their experiences of dealing with the fallout of a data breach or cyber attack – a nightmare scenario for any organisation – and what they considered to be best practise.
I was probably the only comms person in the room and, like me, you might think it’s an interesting topic – but how much does it relate to a comms professional? The answer is that dealing with a security incident is as much a comms problem as it is a security problem – the response to every data breach and cyber attack requires a three-way collaboration between security, legal, and comms teams.
Here’s how the responsibility breaks down:
The security team either discover or are alerted to the security incident. They then have the unenviable job of trying to understand exactly what has happened and mitigate the damage as quickly as possible – working long hours in shifts to secure any data at risk. They report their findings up the line to the business, where somebody has to make the ultimate decision about what to disclose and to who – which is where the legal team gets involved.
If you’ve somehow managed to avoid the four letters GDPR up to now, I won’t spoil your day by explaining data regulation to you. The upshot is, in Europe we now have a pretty clear set of rules that legal teams use to determine how serious the security incident is, who has to be informed about it, and when. When the timer starts on the 72 hours before a business has to disclose to the UK regulator is a topic of some debate but most professionals seem to agree it is when the company itself becomes aware of the incident. How companies communicate a security incident to their customers and the public is even less clear, which is where the comms team comes in.
How did the panel at BSides view comms people? Let’s just say I sank down in my chair in the auditorium. As they told it, the security team would like to be transparent about the security incidents they face, how they handle them, and any subsequent risks to their customers and the public. But they inevitably come face-to-face with the comms team – who insist on restricting the amount of information released in fear of negative press and spin (shudder) anything that is released into something unintelligible.
Sitting at BSides – listening to security professionals talk frankly about the security challenges their organisations face – it was hard to doubt the sincerity in wanting to be transparent with the public. What bothered me was that communication professionals were seen as a barrier to this effort, rather than the facilitator we should be. However, I expect, and hope, the tide is turning on the comms approach – or, more accurately, absence of comms approach – of begging silence when a security incident takes place.
There are a couple of indicators that this approach to incident disclosure is quickly becoming outdated. Firstly, the aforementioned improvement in data privacy regulation, which does mandate communication to customers if their data is exposed. This means that, in many cases, silence is simply not an option so comms teams are forced to adopt a more transparent approach.
Secondly, the industry’s assessment of how well an organisation handles a security incident increasingly includes an evaluation of their approach to comms. Where the discourse around a security incident was once entirely around how a company could and should have prevented it, as the industry has matured, it has become widely accepted that no organisation can stop every incident. Organisations are now evaluated on how well they respond to attacks.
Clear, transparent communication with customers is praised. Monzo’s response to the Ticketmaster breach is always an example that comes to mind – as the digital disruptor separated itself from the incumbents as the only bank that proactively reported fraudulent activity to its customers.
On the other hand, inconsistent, misleading and slow communication with customers is brought under as much criticism as poor technical response. The ransomware attack against Travelex earlier this year is a masterclass in how not to communicate an incident thanks to a cocktail of conflicting company statements claiming the website was simply down for “planned maintenance”, employee whistleblowers, and the perception of slow executive response.
Listening to security professionals discussing the intricacies of comms strategy, right down to channels and tactics, it was clear to me that comms has a greater role to play in security than ever before. It is our responsibility to take that seriously and work with – not against – security teams to ensure that we are responding to incidents in a way that the security industry sees as ethical and responsible.