You’re fast asleep in bed when your mobile rings. You wake up and look at the clock, it’s 4.30 am, who is calling at this time?
You look at your phone to see it’s Ian from work, your head of IT security. Why is he calling?
You blurrily answer your phone to the urgent voice of your colleague. Something is not right, something bad has happened. He tells you your company has been the victim of a data breach and all your customer’s sensitive information has been stolen.
You feel the blood draining from your head while your hands and legs start to shake. How could this happen? Especially on a day like today when three of your biggest investors are going to sit in your office in just a few hours discussing funding?
Your mind then starts to drift back to a conversation you had with Ian just a few months ago…
He was asking for more security budget and saying you were gambling with the safety of your data as you didn’t have the protection in place to defend against attackers. At the time you said he was talking nonsense. No one would go after us, we’re too small and too unknown. Cybercriminals go for the big players like Amazon and Facebook. We currently have a 100 person headcount; no cybercriminal would waste their time hacking us.
Clearly, you were wrong.
When you get into the office that day, your mind has been made up. Do the meeting with the investors, say nothing. Get the deals signed and deny having any knowledge of the breach, tell Ian to do the same. Surely the techies you employ can get the data back before any real damage is done. You can pay them extra to keep quiet.
Deny everything. It’s definitely the safest and easiest option.
But here you were wrong again.
The next day you are at your desk when your phone rings, it’s a reporter from the BBC. They have heard your company has suffered a data breach. In a panic you tell the journalist not to call again, but that it is a lie. You have never been breached.
The next day a reporter from the Sun calls asking about the breach. Once again you deny it and put it all down to competitor propaganda.
It’s only later that day when you log onto the Sun that you realise it was all a trick. The reporter knew the data breach had happened, so you denying it only made things worse.
The next call to come in is the investors, they’ve had a rethink, they’re pulling out.
The next call is law enforcement, they have received concerned calls from your customers that they have been impacted by a data breach on your systems.
At that point, you realise just how silly denying the breach had been.
The truth always comes out and denying things just made everything much worse.
Lessons learned:
- Never deny a breach has happened if you know it has.
- Be transparent. The companies that are transparent about security incidents always come out strongest.
- Get a policy in place so you have a clear procedure to handle breaches.
- Never gamble with cybersecurity. It’s not worth it.
- Don’t lie to investors about security incidents, they too like transparency.
- Never pay anyone to cover up a breach. It will always backfire.
- If your security team says your data is at risk, act upon the warning, don’t ignore it.
- When breaches happen, investigate them and clearly communicate with impacted parties so they can take steps to protect themselves.
