UPDATED 02:20 EDT / OCTOBER 20 2015

NEWS

What’s the best way to disclose a data breach? Atlassian’s Daniel Grzelak shares his thoughts

What’s the best way for a startup or enterprise to disclose a data breach?

It’s sadly a question more and more companies are faced with in 2015 as various bad actors, some even state sponsored, hack into more and more user databases, be it for various reasons, from the pure thrill of doing so, through to theft for profit, and even to obtain company secrets.

There’s various ways of doing it, as we’ve seen recently here at SiliconANGLE with Purse.io, who not only denied the theft of Bitcoins from their service but demanded, via email, that our coverage should be taken down because it was false and defamatory, only to later disclose to another site that Bitcoin’s had indeed been stolen; at the end of the day honesty upfront is arguably the best policy.

Software-as-a-service (SaaS) startup (soon to IPO) Atlassian Pty. Ltd.’s  head of security intelligence Daniel Grzelak spoke on this very issue at the Australian Information Security Association (AISA) conference in Melbourne last week where he made the salient points that in the immediate aftermath of a security breach, companies should ensure they “don’t use weasel words” and have in place strong internal communications and clearly-defined staff guidelines.

Grzelak isn’t without experience with the issue, with Atlassian being hacked in April 2010.

“Customers want regular communications, they want you to be upfront, they want you to be honest and they’ll be positive if they perceive a company to be doing the right thing by them,” Grzelak told the audience. “Companies that did the right thing got positive media coverage, the companies that tried to hide things didn’t.”

In terms of a partial, or an incomplete release of information about a breach, Grzelak makes the point that you don’t want to be in that position, saying “What happens when you don’t provide complete information is people will fill in the blanks…people will take one piece of information and extrapolate a whole range of information that may or may not be true – and that may not work out well for you.”

Be prepared

Grzelak argues that despite wishing that it will never happen to them, companies should have in place procedures to deal with a data breach, and the first step in that process is internal communication so everyone knows what is happening.

“When an account was compromised, our security team contacted a customer and said ‘it appears someone has accessed your account using your login credentials that wasn’t you. You should probably reset your password’…the customer got that email and said ‘this looks like a phishing email, it doesn’t look legit. Maybe I should reach out to support.”

“So they reached out to support, and they asked ‘is this legitimate?’ And because there was no connection between the security team and the support analyst, the support analyst came back with ‘you’re right, that doesn’t look legit, you should just ignore it’.”

Centralized coordination is another consideration: “The important thing is you need to get a team lead involved for each of [your main staff] groups, so there’s only one person makes the final decision for all the things that need to go out…If you don’t do this, I guarantee you’ll run into problems. If multiple people all make decisions about different things, it just gets crazy and it leads to poor decisions.”

Disclosure

Disclosure comes in different forms with Grzelak stating that at the very least a blog post should be a starting point.

“Blog posts allow you to do updates, which is important. Because as you find out more information or as the situation changes, as customers ask you questions and as the press asks you questions, you want to update,” Grzelak said while noting that press releases also play a limited role: “Whereas a press release is a one-off thing. You only get to do it once, and you better get it right, because that’s what’s going to be quoted everywhere.”

One alternative suggested is to have a dedicated disclosure site: “Having a specific disclosure website has a lot of real benefits. For example, the SEO is not attached to your main corporate website, so if people search for the breach, they won’t be pointed to your main website….in the future once your customers and partners have all the information they need, you can kick the website off the internet and it’s no longer attached to your brand.”

It’s an interesting toss-up for startups and enterprises on how to deal with a situation like this, but Grzelak words about having in place a plan should or if a data breach occurs are at the very least good advice.

Image credit: doctordray/Flickr/CC by 2.0

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU