How data breaches are discovered

Breaches should be detected internally, but this isn't always the case

by Charles Cooper

While the laws dealing with cybersecurity notifications vary by state, there’s general agreement among organizations that they ought to notify consumers, regulators and others as soon as they discover a breach.

But what happens when those other stakeholders are the ones who notify you with the first news of the breach?

In December 2016, Yahoo disclosed that a 2013 hack had compromised more than 1 billion accounts. The incident was noteworthy in part because Yahoo’s original tip came from law enforcement, which provided data files that the company analyzed to reach its conclusions.

This is part of a bigger trend that has become apparent about breaches. Since 2005, in fact, discovery by law enforcement and third parties has been on a consistent upward trend.

Surveys indicate that a majority of data breach victims either don’t have adequate systems or managed security services that would help them self-detect data breaches. That is a harbinger of trouble considering how many organizations are connecting to networks that include partners, customers and suppliers.

In theory, internal IT systems should be able to detect any breaches, but that’s hardly the case.

AT&T surveyed global executives for one of its Cybersecurity Insights reports about breach notifications and discovered that employees, law enforcement agencies, customers and service providers are frequently the first to detect the problem. Here’s the breakdown:   

  • Employees: 50%   
  • Law enforcement: 25%   
  • Customers: 21%   
  • Service providers: 19%

Avoiding a countdown to the next crisis

Image can make or break corporate reputations, especially when it comes to how well they protect confidential information. The longer it takes an organization to discover a breach, the more time an attacker has to find and exfiltrate the organization’s sensitive data.

When a third party goes public with evidence of a security failing, it’s up to management to mobilize to recapture the narrative and minimize the potential risk of damage to the brand.  

If someone from the outside is calling to notify the organization of a breach, it likely means cyberthieves either have stolen or otherwise compromised confidential data. The answer is to put into practice a honed, nimble incident response plan.

As soon as the breach is confirmed, IT needs to find out both the cause and extent of the damage. At the same time, recovery efforts should involve communications with all the relevant stakeholders, including legal and regulatory bodies.

The organization needs to rapidly reach out to its customers, explain what happened and what they now need to do. They should also be willing to admit culpability if the company was at fault and accept responsibility.

In the end, the potential public reaction to a security incident will hinge on how well management responds to the crisis. If the top echelon can demonstrate that it’s taking effective steps, it can minimize the damage to its company, customers and employees.

For more information on data breaches and cybersecurity, visit the AT&T Cybersecurity Services page.