Infosec boffins at the University of Kent have developed a "comprehensive playbook" for companies who, having suffered a data breach, want to know how to shrug off the public consequences and pretend everything's fine.
In a new paper titled "A framework for effective corporate communication after cyber security incidents," Kent's Dr Jason Nurse, along with Richard Knight of the University of Warwick, devised a framework for companies figuring out how to publicly respond to data breaches and similar incidents where servers are breached and customer data ends up in the hands of criminals.
Those hoping the paper will give them a set of tools with which to mug off journalists and others asking pointed questions about a breach will be disappointed, however: "With incidents involving an unintentional exposure of data, typically the organisation (via its employees or stakeholders) is indisputably at fault and thus cannot reassign blame away from itself or act as a victim."
Published in the Computers and Security journal, the academics' paper draws on previous well-known data breaches and security incidents such as the Ticketmaster hack before devising a flowchart for execs and their PR flunkeys alike to follow when bad things happen.
It also quotes from infosec personalities such as Troy Hunt, Brian Krebs, and Graham Cluley.
The flowchart and process does not advise the use of phrases such as "we take security very seriously," Nurse confirmed to The Register. That phrase has become a standing joke (read the replies to that tweet) within the infosec world whenever a company has suffered a data or security breach affecting individual ..
Support the originator by clicking the read the rest link below.
