back to article Wondering how to tell the world you've been hacked? Here's a handy guide from infosec academics

Infosec boffins at the University of Kent have developed a "comprehensive playbook" for companies who, having suffered a computer security breach, want to know how to shrug off the public consequences and pretend everything's fine. In a new paper titled "A framework for effective corporate communication after cyber security …

  1. Mike 137 Silver badge

    Not really what the GDPR intended

    'a "comprehensive playbook" for companies who, having suffered a data breach, want to know how to shrug off the public consequences and pretend everything's fine'

    I recently had a discussion about infosec with a European data protection lawyer, and the final question he asked was "how would help your client avoid reporting a data breach to the regulator?" My answer ("I won't. My job is to minimise the chance of it happening in the first place") effectively terminated the conversation.

    The "get out of jail free" approach is one hundred per cent contrary to the obligations imposed by the GDPR, which is there primarily to prevent data breaches happening in the first place, but also to mandate transparency, even when they do. A fundamental principle of the legislation is that openness to data subjects is an inescapable obligation (even while there's no data breach)

    Obviously you don't want to do a Dido and put your foot in your mouth as at Talk Talk, but it's perfectly possible to be honest with the press without exposing too much, and particularly without trying to evade responsibility. It should be recognised that attempts to minimise or conceal a breach are typically pretty obvious and are likely to be taken into account by regulators when setting penalties.

    Despite which the ominous words "We take your privacy seriously still prevail.

    1. Anonymous Coward
      Anonymous Coward

      Semantics..

      "I would help my clients by helping them prevent a breach that requires disclosure" is pretty much the only right answer though. Unfortunately it's still the path less traveled, as the payoff for beating the regulators exceeds the perceived risk to chronic short term thinkers(aka management).

      Hopefully we can all be in a place where we are not literally hungry enough to go down that rabbit hole if we find ourselves in a similar situation. Especially since the interviewer was framing you up as the scapegoat if things went sideways and the regulators noticed.

    2. Anonymous Coward
      Anonymous Coward

      Re: Obviously you don't want to do a Dido

      well, if you do a Dido, Hancoco or Greylingo, or whatever the UK Technology Titans did, do or dido, either way you still dido up and forwards.

  2. Chairman of the Bored Silver badge

    How to report a breach?

    Maybe with a haiku?

    Crypto moves softly

    Ripples across NAS

    Come dawn we are fscked

    1. Psmo Silver badge
      Go

      Re: How to report a breach?

      Storage policy

      Was found to be quite wanting

      Please change your password.

    2. Psmo Silver badge

      Re: How to report a breach?

      Email protections

      Have proven insufficient.

      Outlook not so good.

      1. Chairman of the Bored Silver badge

        Re: How to report a breach?

        @Psmo,. I think I will steal your excellent suggestions if/when I have the need. One more came to mind:

        Quietly hidden

        Label under mouse pad lurks

        User password bliss

  3. Anonymous Coward
    Anonymous Coward

    "A framework for effective corporate communication after cyber security incidents,"

    or: How I Learned to Stop Worrying and Look Good In Shit Because Good Looks Is Everything That Counts (on Social Media)

  4. Mongrel

    The framework does, however, advise execs to ask themselves "are you really taking security seriously?"

    The follow on question should be "Does the IT team\Infosec team agree"

  5. Anonymous Coward
    Anonymous Coward

    During -- Not After?

    Title (in part): "Wondering how to tell the world you've been hacked?"

    *

    A MUCH better question would be "Am I being hacked right now -- and don't know it yet!?"

    *

    I seem to recall that the data baddies were in some places for MONTHS before the hack was found (Equifax comes to mind).

    *

    Perhaps the university bods should worry about "finding hacks quickly" -- rather than worrying about the "after the fact" stuff!!!

    *

    Just saying!!

  6. sitta_europea

    The paper can be downloaded here too:

    https://arxiv.org/abs/2009.09210

    and in a prettier format but a much bigger PDF file:

    https://www.sciencedirect.com/science/article/pii/S0167404820303096

  7. JCitizen Bronze badge
    WTF?

    I'm beginning to think...

    The ONLY way you are going to get corporations to FINALLY start paying attention to security, is to do just what OSHA did, and start putting executives in jail for malfeasance or just plain criminal negligence. It snapped the whip on how companies took worker safety seriously, and finally started making a difference in worker injury and death incidents. I remember one company sold out to another just because of an OSHA investigation, and the first thing the incumbent CEO faced after the buy out, was a Federal marshal coming into the office to take him to jail! It turns out the consequences follow through to the new company. Talk about a shock! I thought it was funny as hell myself. They all deserved it!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020