The National Institute of Standards Technology (NIST) is an agency of the United States Department of Commerce. They publish guidelines on how to implement technology and help you second-guess situations that can compromise your data.

In their publication, NIST SP 1800-29, they give advice on how to detect, respond to, and recover from data breaches.

It is a daunting task going thru all the documents, which is why the NIST Cybersecurity Framework (CSF) 2.0 can assist with managing the process to reduce Cybersecurity risks.

When a security breach has occurred it is of highest importance that you immediately respond to this and make a public statement. How you handle this affects the public’s opinion of your company.

CSF states:

* Organizational leadership is responsible and accountable for 
  cybersecurity risk and fosters a culture that is risk-aware, 
  ethical, and continually improving

* Roles, responsibilities, and authorities related to cybersecurity
  risk management are established, communicated, understood, and enforced 

* Adequate resources are allocated commensurate with the cybersecurity 
  risk strategy, roles, responsibilities, and policies

From this we can deduce that leadership, responsibility and communication is of very high importance when a breach has occured.

Troy Hunt, founder of the service HaveIBeenPwned, woke up after an exhausting trip to Europe from Australia. This was the beginning of a breach of his mail-list service Mailchimp.

Bad actors managed via phising emails gain access to his list of about 16 000 subscribers.

He did his best to try and contain the damage following the breach, and even more crucially, the ethical choice to be fully transparent in this process. He immediately made a public statement concerning this data-breach on his blog.

At first only a brief statement was posted, the details was added as they were unearthed. As things calmed down and he was on top of the situation, he reached out to each and everyone of his subscribers on the list to inform about the state of the situation.

This is a clear example of a leadership that takes the Cybersecurity risk accountability seriously and a representative of an organization that continually improves.

Security giants like Steve Gibson has commented on the breach, and he has not been critical for how the situation was handled. Instead we get the impression this is a good example on how to handle breaches.

Had he not done this his company would loose the trust of it’s customers and stakeholders. This is why it’s important that from the start control the narrative by owning the problem. Had the severity been downplayed, blamed on the supplier of the mail-service or even denied that the breach has occurred, the company would risk suffering a huge confidence loss.

It cannot be overstated how bad this is for business.

Customers may leave, investors not continuing supporting the company in the future and insurance companies refuse to renew contracts.

Regardless of the severity of the incident, it’s of utmost importance it’s addressed immediately to avoid loosing the narrative to adversaries. In the first couple of hours there will be a lot of rumors going around, and competitors will not let this opportunity to cause damage to your brand pass them by.

This is why it’s always good practice to set up strategies for the most likely risks to occur well in advance. Many organizations are for different reasons obliged to have strategies for this in place.

Most large and medium-sized companies has strategies in place. Smaller companies may not. When the day to handle a data-breach comes it is a huge benefit being prepared and know what actions to take. Everyone is on their toes and knows what is required of them. This will mitigate the risk for irrationally actions and making reckless decisions in the heat of the moment.

Even on an individual level you can benefit from learning how to reason when you setup a network or install a file-server. You are better prepared for situations that may occur since you have thought it through in advance when everything is calm.

By going through this process you may even have anticipated some situations that can be easily resolved in advance, and by implementing remedies stayed clear of an otherwise likely bad scenario.

Whether or not Troy has IT guidelines in place that handles situations like this, his actions reveal that there has been preemptive thought processes for scenarios like this.

Recent data-breach reports in the media involving large organizations reveal that they may have a lot to learn from Troy Hunt.

Reference NIST SP 1800-29: Reference NIST Cybersecurity Framework Reference NIST SP 1299 Troy Hunt blog Security Now Episode 1019