Once the reporting process is determined, corporations must develop best practices, which will differ by company.
"The nature of the business, the corporate culture, and industry compliance regulations will determine how each business responds to a massive data breach," noted Stewart.
Making It Real
The plans then have to be tested. IT has to create a plausible flaw and then have the cyber-crisis management team quickly shift into response mode. "Sometimes, it is obvious to the participations that a drill is a drill, rather than a real breach," said Blum.
The days of keeping news of a security hole tucked inside the corporate walls are over. Nowadays, too many information outlets exist, so the bad news has to be shared. Typically marketing and public relations handle interactions with the public.
Again, being proactive smooths out an often bumpy road.
[What lessons are there from the OPM breach? InformationWeek asks here.]
Corporations must account for the dynamic process of identifying and publicizing the leak. "If you report a breach that has 100,000 records, and two days later you say 2 million records were impacted, your credibility will take a hit," said Stewart.
But the desire to report accurately may be offset by compliance regulations that require companies to make the breach known ASAP. "To truly be prepared, companies need to get everyone around the table (legal, compliance, IT, and marketing), talk through possible scenarios, develop best practices, and test them," Blum explained.
Even so, few corporations have developed cyber-crisis management teams and best practices.
"We are seeing a slow but growing awareness among CIOs that a new approach is needed to dealing with massive breaches," said Stewart. The process starts with the CIO recognizing the need for handling massive breaches in their own way and then putting the response pieces in place.