One of the major mistakes companies often make when preparing for a data breach is taking a one-size-fits-all approach. Unfortunately, the reality is that no data breach is the same, and there are a wide variety of unique circumstances that need to be accounted for in a data breach response plan.

Take the new types of information that hackers are targeting. While everyone is aware of the potential loss of payment card information during a data breach, that is not the only data that needs protecting. Today, cyber thieves driven by different motivations are after a wider variety of information—everything from password credentials to potentially damaging email exchanges, even something as simple as an individual’s affiliation with a company—that could be used to embarrass an organization or individual and have much longer-lasting damage.

There's no better example of this than the type of attack recently leveled against adultery site Ashley Madison. In this case, hackers were motivated to shut the company down through extortion, holding millions of customer records for ransom. While it might seem like an extreme example, it isn’t the first time these types of attacks have made headlines. Issue-motivated attacks struck banks a few years ago, and even the security industry itself was impacted with the HB Gary attack from the well-known hacktivist group Anonymous.

From the motivations of the attackers to the potential impact on customers, there are several lessons that organizations and individuals can learn from these examples. Taking stock of some of the unconventional data breaches we’ve seen to date, below are a few takeaways to consider.

The potential for this type of data breach is not unique.

First and foremost, organizations should understand it is not just an adulterer’s website that could face a breach motivated by reasons besides financial gain. Any company’s operations could be challenged by activists. From energy companies being the target of environmentalists to retailers that face opposition on labor practices or financial institutions that could be viewed by some as controversial, all corporations need to be prepared to face similar issues. In these cases, attackers would likely look for information that could cause operational challenges and significantly harm the company’s reputation if released.

Furthermore, any organization where some degree of anonymity is a key part of their operations is particularly vulnerable. Organizations where mere public association could cause personal harm to its members should think carefully about how they manage member information. 

Reputational impact can be more damaging than financial impact.

Companies should be aware that if a data breach exposes an individual’s mere relationship with an organization, the data breach could result in customer embarrassment or psychological harm. For example, one of the biggest concerns during a healthcare data breach is the potential for medical identity theft. While medical identity theft brings several concerns, an often overlooked aspect is potential reputational impact on patients. A survey from the Medical Identity Fraud Alliance found 45 percent of victims suffered embarrassment due to disclosure of sensitive personal health conditions, which, in some cases, caused individuals to miss out on career opportunities or to lose employment.

Evaluate security posture.

Understanding that attackers are driven by different goals, businesses need to rethink the type of data they secure and what it means to prepare for a data breach. Organizations should carefully take stock of all the data they store—not just information with intrinsic value such as financial records, usernames and passwords but also any information that could simply be used to embarrass an organization or somehow be used against it.

Some initial steps to take to ensure good data management and help reduce risk include segmenting data, implementing multifactor authentication and ensuring comprehensive data encryption. Make sensitive data easy to delete and destroy, and follow your word—if you tell customers you’ve deleted data, delete it.

Protect against insider threats.

Insider threats are a growing concern, and disgruntled employees are often the source of data loss. It’s essential that companies keep tight control over who has access to what data to lower the potential for an insider to make off with sensitive information. This includes implementing strong permissions to access information and logging records of who accesses what. It is also encouraged that companies invest in security awareness training for employees so they are up-to-speed on how to properly keep and securely discard data.

Adjust the incident-response plan.

Companies should reevaluate their incident-response plans and ensure that they account for emerging types of data breaches. It is essential to list out special considerations for each type of incident and include specifically what actions the response team must take when they respond. As a best practice, companies should audit their incident-response plan semiannually to ensure they are accounting for emerging risks and any new types of data that they are collecting.

Effective communication is critical.

In general, companies that have publicly dealt with this type of data breach have had a hard time responding effectively and should be doing more to communicate with their customers. To maintain trust and limit reputation impact, organizations should be prepared to respond quickly to an incident with a sincere apology to affected customers, clear guidance on how they can protect themselves and details on what the company is doing to remedy the issue. If not responded to quickly, customers may perceive that the company does not care about their well-being or the safety of their personal information.

When notifying customers, consciously think of ways to do so that will help protect them and not add more harm. Tailor the wording of notifications based on the situation and the information exposed, and consider offering compensation or other services to help affected customers navigate the resulting fallout.

Consumers can take a lesson on protecting anonymity online.

Another effect of the Ashley Madison incident is a growing awareness amongst consumers about protecting their online privacy. While there is a lot for companies to learn from these types of data breaches, consumers are quickly understanding what the implications are for how they manage online privacy and personal data security. In light of recent incidents, you can bet consumers will take matters into their own hands to learn more about protecting their information online. Services like TOR and VPNs could see an increase in adoption. Additionally, anonymous emails and accounts might be used when consumers are concerned about their identity or their affiliation with a company being exposed.

The biggest takeaway is that every organization is susceptible to a malicious cyber-attack where hackers are motivated to extort a company or individuals. As such, companies of all types should reassess their data security, consider the potential reputational impact a data breach can have on their customers and be prepared to respond accordingly. 

photo credit: IMG_2511.jpg via photopin (license)