Kaspersky Incident Communications

[harlan4096]

I remember that day like it was yesterday: Our CEO called me into his office, asking me to leave my smartphone and laptop at my desk.

“We’ve been hacked,” he said bluntly. “The investigation is still ongoing, but we can confirm that we have an active, extremely sophisticated, nation-state sponsored attacker inside our perimeter.”

To be honest, this wasn’t totally unexpected. Our specialists had been dealing with our clients’ security breaches for quite a while already, and as a security company, we were a particular target. Yet, it was an unpleasant surprise: Someone had penetrated an information security company’s cyberdefenses. You can read about it here. Today, I want to talk about one of the key questions that arose immediately: “How do we communicate about it?”

Five stages of learning to live with it: Denial, anger, bargaining, depression, and acceptance

As it happened, pre-GDPR, every organization actually had a choice — whether to communicate publicly or deny an incident had even occurred. The latter wasn’t an option for Kaspersky, a transparent cybersecurity company that promotes responsible disclosure. We had consensus throughout the C-suite and started preparing for the public announcement. Full steam ahead.

It was the right thing to do, too, particularly as we watched the widening geopolitical rift and saw clearly that the mighty powers behind the cyberattack would definitely use the breach against us — the only unknown elements were how and when. By proactively communicating the breach, we not only deprived them of this opportunity, but we also used the case in our favor.

They say there are two types of organizations — those that have been hacked and those that don’t even know they were hacked. In this realm, the paradigm is simple: A company shouldn’t hide a breach. The only shame is in keeping a breach from the public and thus threatening customers’ and partners’ cybersecurity.

Back to our case. Once we established the involved parties — legal and information security teams versus communications, sales, marketing, and technical support — we began the tedious work of preparing the official messaging and Q&A. We did that simultaneously with the ongoing investigation by Kaspersky’s GReAT (Global Research and Analysis Team) experts; involved team members conducted all communications over encrypted channels to exclude the possibility of compromising the investigation. Only when we had most of the A’s covered in the Q&A doc did we feel ready to come out.

As a result, various media outlets published almost 2,000 pieces based on a news break we initiated ourselves. Most (95%) were neutral, and we saw a remarkably small amount of negative coverage (less than 3%). The balance of coverage is understandable; the media had learned the story from us, our partners, and other security researchers all working with the right information. I don’t have the exact stats, but from the way the media reacted to the story of a ransomware attack against Norwegian aluminum giant Hydro earlier this year, it seems the handling of those news stories was suboptimal. The moral of the story is, never keep skeletons in the closet.
...

Continue Reading