Hopefully you’ve never had anything stolen in a data breach, but if you have I hope you’ve been spared the salted wound of the non-apology.
There are notable exceptions of course but as data leaks and network breaches get larger, more common and more damaging, a humble sorry seems to be the hardest word.
All too often the company emails and blog posts that reveal our private data is still data but no longer private are lawyer-safe missives with all the empathy of a “your call is important to us” phone queue.
Well, enough, we say – stand down your emergency PR team and step away from Outlook.
People who suffer data loss aren’t fools, they know that keeping out the bad guys is a difficult job, and they can tell when the message is “the horse has bolted” when you say “the stable door’s been shut”.
To mark week two of Cybersecurity Awareness Month and its theme of Creating a Culture of Cybersecurity at Work, we’ve produced this handy guide for companies that have suffered a data breach but didn’t lead with “sorry”.
To those organisations wondering how to talk away the fact they dropped the ball, we say – in case you were wondering – this is what you sound like after a data breach…
“We take the security of our customer data extremely seriously”
*Now*. We take the security of our customer data extremely seriously *now*.
“The vast majority of customers were not affected”
As luck would have it the hackers didn’t find the Excel spreadsheet in the CEO’s inbox that has most of our customer data on it.
“This afternoon we became aware that some of our systems had been compromised”
There’s a giant flaming skull on our home page.
“The attack had all the hallmarks of a state-sponsored attack”
They sent us emails. DEAR GOD, THEY KNEW OUR NAMES!
“Forensic analysis has concluded that some customers may have been affected”
You’re on Pastebin.
“We’ve called the malware StealthOverlord3000”
The marketing team are in shock and we don’t know how to make them stop.
“As soon as we discovered the attack we immediately began working to close the security vulnerability”
It’s amazing, that really exasperated guy in IT who looks like he pulled his own hair out knew where to start straight away.
“We have been fully cooperating with the FBI’s investigation.”
…it’s almost like they knew our passwords already.
“We have retained one of the world’s leading cybersecurity firms to assist us in our investigation”
A week ago we couldn’t afford an EV SSL certificate, now it’s raining money!
“We are sorry”
You guys reacted really, really, badly to the first three statements we put out.
Creating a culture of cybersecurity at work means being honest and up front about cybersecurity with colleagues and customers alike, no matter what.
Sophos’s own IT Security Manager, Ross McKerchar, has 6 tips on how to successfully create that culture.
Image of shocked businessman courtesy of Shutterstock.com.
4caster
“You remember that $100 subscription you paid a few months ago for our exclusive Global Intelligence? Well, until we get our website security sorted out, we’re going to give everyone else that intelligence for free. In the meantime, please change your password.”
(to paraphrase Stratfor a few months ago)
Damon Schultz
“The vast majority of customers were not affected”
We think you should take comfort from the fact that while your confidential account details are now being sold on the black market, plenty of our other customers aren’t affected. So why be so upset?
Ace Hoffman (@AceHoffman)
“Only a small portion of our data was released.”
We’ve been keeping records on you for years, even expired cc #s. Only the current (most useful) information got out.
Adam
Mark, these “What You Sound Like” articles are great.
Please make more of them if/when you have the ideas for more.
Toby
“No confidential data was affected.”
Our Ts & Cs make it clear that if you hand your data to us, we don’t consider it to be confidential.
Khürt Williams
“No confidential data was affected.”
All that information was already leaked in the XYZ Corp data breach from a few weeks ago.