Tech Bytes: Take the Two-Pronged Approach to Survive a Data Breach

It’s sad, but true: companies are still taking a “don’t ask, don’t tell” stance when it comes to owning up to data breaches.



This week, Yahoo announced a data breach of epic proportions — an incident that cost the search engine company the account information of approximately 500 million users. While the sheer breadth eclipses the highly publicized breaches across The Home Depot, Nordstrom, Neiman Marcus and Target, one similarity does stick out.



Yahoo’s compromised data was reportedly stolen from the company’s network in late 2014. Worse, Yahoo had an inkling of a problem in August. Yet, even among swirling rumors, the company failed to address the gossip.



If this scenario doesn’t ring a bell, it should: Target played a similar tight-lipped game upon initially learning about its attack in late 2013. Instead of admitting the infiltration immediately, the company kept mum until their investigation became public.



It prompted the later resignation of the chain’s chairman, president and CEO Gregg Steinhaffel who, according to a company statement, “led the response to Target's 2013 data breach … and held himself personally accountable.” In the eyes of shoppers, this was too little, too late.



Shopper saw red upon hearing of the data breach — one that was two weeks in the making during the hustle and bustle of the busy holiday shopping season. Meanwhile, the magnitude of its reach and damage was kept quiet. It was a public relations nightmare that cost Target plenty — including long-term customer loyalty that is critical in such a saturated, highly competitive marketplace.



In an era when more than 4.8 billion data records have been exposed since 2013, according to the “Breach Level Index” from Gemalto, there is no more room for excuses. Retailers must do better.



From an external point-of-view, retailers should:



• Communicate. We learn as children it is better to tell the truth than to lie. Nothing has changed. Admit responsibility for the breach, and explain to shoppers how and why it happened.



• Nurture. Provide solutions for affected shoppers. To maintain loyalty, deliver protection services or even a special offer to those directly impacted.



• Educate consumers. Explain the proactive steps the company is taking to mitigate the breach internally, and remind shoppers to promptly change passwords, security questions and answers.



Internally, retailers must immediately:



• Review Logs. Intrusion detection software, and device and firewall sharing logs will reveal where attacks are coming from, and how far-reaching they are.



• Seek Help. Once store and security managers and CIOs are in the loop, notify wireless providers, as well as the police and FBI.



• Begin Remediation. Review and reduce network access of third-party business partners. Test network firewalls, related governance and disaster recovery processes.



• Re-affirm Internal Security. After resetting passwords, adopt two-factor authentication for internal users, and tokenization for shoppers using credit, debit or mobile payment options at point-of-sale.



• Adopt Data Loss Prevention (DLP) Systems. Even among the best laid plans, data losses happen. Using DLP to pinpoint where confidential data it is stored across the enterprise, how data is used, and from where users access the corporate network, retailers can proactively ensure sensitive or critical information doesn’t leave the corporate network.



With Gemalto reporting that data breaches and compromised data files are both up 15% and 31%, respectively, in the last six months alone, it is clear that no company is immune to a cyber attack. However, laying low after a data breach is no longer an option.



Stay proactive, honest and nimble when it comes to cleaning up the mess, and protecting sensitive personal information. Those that fail to do so lose more than customer information — they lose the confidence of their once loyal shoppers.