People
As cyber consultants, we often say that breaches are inevitable, it's not if but when, and that having pre-written and tested plans will help to mitigate the impact to your business, including reputationally.
The number of breaches is on the rise and it is likely that most people's data has been breached in some way through online shopping and other services, where email addresses and possibly more have been made available publicly. Thanks to brilliant sites such as https://haveibeenpwned.com/ from Troy Hunt, it's easy to see whether your data has been made available by hackers.
I think most consumers understand that breaches are the result of criminal activity, and that the companies affected are the victims of crime as well as the individuals.
Without doubt, the companies have a duty of care to protect our data and should be held responsible. As a consumer it is hard to judge how seriously an organisation will take a breach until something bad happens - certifications and standards are a start, but they don't tell us much. The way an organisation responds in real time - when and how they disclose and how they explain it - is what really matters.
An honest, early, straight forward disclosure, using plain and simple language offers insight into how companies view and manage security. If they warn you of something that might impact you and your company rather than having to tell you after something does, it provides a useful insight into the ethics of the organisation. It gives me some comfort that they will communicate transparently with me and not hide other issues.
This recent disclosure by LastPass is a prime example of this. It is clear and simple (you don't need to be technically-minded to understand). It is up-front, listing and responding to the most common questions asked. It may be a well-considered and I suspect well-rehearsed response to incidents, but nonetheless it is something we can all learn from.
https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/
