Often times it’s not the fact that your business has been hacked that will lose your customers’ confidence, but the way your company responds.
When a company suffers an attack (presuming it notices at all), it can take several courses of action.
1. Pretend it never happened. Don’t tell your customers, and hope no-one ever finds out.
It’s tempting to try to sweep the incident under the carpet, especially if you believe that sensitive customer data may not have been exposed.
But this approach is going to be disastrous for your reputation if the truth eventually leaks out, or it is later determined that the hack was more serious than you initially thought. Not to mention that the authorities may take a dim view if you didn’t report an incident which could have put customer’s private information at risk.
2. Put out a bland “security advisory” statement hidden away on a remote corner of your website, explaining how you take security very seriously.
Inevitably you will throw in words like APT and include vague murmurings from security specialists you have helicoptered in that the threat appears to have been “highly sophisticated” and probably the work of a hacking gang supported by a devious foreign government.
3. Admit, yeah, we got hacked. But it wasn’t that bad and we don’t believe customers or partners are affected.
That final option is the approach taken by Russian anti-virus outfit Kaspersky, who claimed yesterday that some of their internal systems had been compromised by malware.
— Eugene Kaspersky (@e_kaspersky) June 10, 2015
That’s an uncomfortable admission for any anti-virus company, and there may well have been meetings inside Kaspersky where the risks of “going public” about a hack.
But, to its credit, Kaspersky determined the best approach was to not only admit that it had been hacked, but also to provide extensive information on the malware (dubbed Duqu 2.0, it can be considered the son of the son of Stuxnet) that they found attempting to exfiltrate information from their servers.
And the anti-virus company realised that the public’s opinion of the incident would be coloured strongly by the media – and with that in mind it co-ordinated blog posts by founder Eugene Kaspersky on his own site and Forbes, live-streamed press conferences in London, and detailed technical analyses of the malware by its team of experts.
In short, it handled what could have been a corporate crisis well – and reassured customers and partners that their data was safe, and the integrity of its security products had not been compromised.
It also rose above the commonly-seen tactic of publicly blaming specific countries for an attack, even though everyone in the computer security business knows that reliable attribution is a minefield. Nonetheless, Eugene Kaspersky seems certain that a nation state was responsible for the hack:
“Governments attacking IT security companies is simply outrageous. We’re supposed to be on the same side as responsible nations, sharing the common goal of a safe and secure cyberworld. We share our knowledge to fight cybercrime and help investigations become more effective. There are many things we do together to make this cyberworld a better place. But now we see some members of this ‘community’ paying no respect to laws, professional ethics or common sense.”
Kaspersky isn’t the first anti-virus company to have suffered at the hands of hackers, and it certainly won’t be the last.
And it shows that even the most security-conscious organisations can fall victim to determined hackers.
The truth is that most companies have probably been hacked to some extent or another – although most of the time they won’t have been specifically targeted like Kaspersky probably was.
What’s important is for companies to consider testing their own defences, and put effort into hacking themselves, finding vulnerabilities and weaknesses *before* the bad guys strike.