The golden rule of breach announcements
US businesses are increasingly aware of the threat cyberattacks can pose not just to their networks and customers but to their reputations if they mishandle the announcement and the response. Siobhan Gorman of Brunswick Group, a global communications consultancy company, points to a "golden rule" for companies to avoid egg on their faces as they disclose they've been hacked to media and the public.
"The golden rule is: Never disclose numbers at the outset unless you would stake your job on it," Ms. Gorman told Passcode and New America on the latest edition of The Cybersecurity Podcast. "Wait until the information is at a point where you're really confident in those numbers. Not because it's good to withhold information, but you need to be conscious of the limits you have at the outset." Forensics investigations often reveal hacks are more widespread than they look. Take Target as an example. The company first said payment information of 40 million people was stolen in December 2013. Weeks later, it said as many as 110 million people were affected. "They changed their own narrative... to one of mismanagement," says Gorman.
The Office of Personnel Management joined The Cybersecurity Hall of Shame this year, breaking Gorman's golden rule when it announced 4 million people's records were potentially compromised – then later clarifying it could be more than 20 million. Soon after, OPM chief Katherine Archuleta resigned. Listen here. // Sara Sorcher
"The golden rule is: Never disclose numbers at the outset unless you would stake your job on it," Ms. Gorman told Passcode and New America on the latest edition of The Cybersecurity Podcast. "Wait until the information is at a point where you're really confident in those numbers. Not because it's good to withhold information, but you need to be conscious of the limits you have at the outset." Forensics investigations often reveal hacks are more widespread than they look. Take Target as an example. The company first said payment information of 40 million people was stolen in December 2013. Weeks later, it said as many as 110 million people were affected. "They changed their own narrative... to one of mismanagement," says Gorman.
The Office of Personnel Management joined The Cybersecurity Hall of Shame this year, breaking Gorman's golden rule when it announced 4 million people's records were potentially compromised – then later clarifying it could be more than 20 million. Soon after, OPM chief Katherine Archuleta resigned. Listen here. // Sara Sorcher
Podcast: Bug bounties, stunt hacks and golden rules of breach disclosures
HackerOne's Katie Moussouris and Brunswick Group's Siobhan Gorman join the latest episode of The Cybersecurity Podcast. Download episodes on iTunes. //Sara Sorcher
|
Researchers: We can crack a smart safe in less than 60 seconds
Bishop Fox researcher Dan Petro and senior security associate Oscar Salazar plan to demonstrate how an attacker can break into the CompuSafe Galileo next week at the Def Con security conference. // Malena Carollo
Commerce Department will release another draft of proposed Wassenaar changes
After many security companies and researchers lambasted the US Commerce Department's proposed changes to the Wassenaar Arrangement, the Bureau of Industry and Security is preparing to release another round of proposals aimed at limiting the sale of spyware, especially to oppressive regimes. The security industry had submitted formal comments explaining how the overly broad rules that classified certain cybersecurity technology as weapons could hinder legitimate analysis of computer security weaknesses.
So the US is considering those comments and trying again, Commerce Department Deputy Secretary Bruce Andrews said, insisting there will be an opportunity for another round of comments after the next draft is released. “It is our goal to try to accommodate both industry but also protect against bad behavior,” Mr. Andrews said on the Steptoe Cyberlaw podcast. // Steptoe & Johnson LLP CISA likely to be postponed
The Cybersecurity Information Sharing Act, which is meant to increase cyberthreat sharing between the US government and private sector, isn’t likely to see any action in the Senate before members go on recess next month. // Politico
|
