The latest numbers on the Okta data breach are in, and the market cap decline of the company amounts to roughly two billion dollars. Depending on the customers’ reactions and further revelations about the incident, there may even be a further decline in sales prices.
Yet, with so many incidents, the case should serve as vital lessons learned for management when constructing incident response plans, building security-focused cultures, and handling customer communications. It is also a great reminder that boards need to extend their oversight into cybersecurity. Otherwise, companies risk similar financial repercussions. Let us look into three areas where management should lead the charge and boards should increase their oversight.
A Security Focused Culture
One of the most damming accusations in the saga is the dismissive response by the support team. When a customer tells you about an incident, it is the most dangerous reaction to blow them off. If they are correct, you dismissed a valid lead and will delay a response. If they are wrong, they still will feel undervalued and ignored. However, in any case, you don’t know whether they are wrong. Thus, the only safe assumption is that there is a problem.
Yet, the culture wasn’t security-focused. Thus, the reaction was, “It is just another customer complaint.” Consequently, they blew off the complaints, and Okta’s response proved inadequate.
Unfortunately, many companies would have reacted in the same way. Cybersecurity isn’t a priority in many organizations, and a security-first mindset needs time to cultivate.
As with so many changes, gamification is a great way to get started in security. One password, for example, practices an “Eyes of the Month” award to reward people who have spotted an issue and decided to speak up.
Practically applicable training and solid examples are another way to change the culture.
Incident Response and Risk Oversight
The second lesson learned should be the importance of risk oversight. Even in technology companies, cybersecurity risks are often significantly undervalued. Few people would have imagined that an incident in an auxiliary system could lead to a loss of 2 billion dollars in market cap.
Yet, for most companies, the complete IT is an auxiliary system, only there to support the core business functions. Thus, management and boards often judge the risk based on the impact an outage or incident can have on the core business.
Yet, this practice ignores the data contained within the IT systems. Address data and unsanitized customer data are a risk to any organization. Management must see them as such in assessment, and boards cannot ignore them in their oversight.
Communication after an Incident
Every company wants to maintain customer trust after an incident. In that case, it is essential to communicate what has happened, who was affected, and what mitigation steps each party must take. However, these strategies are complicated to develop under the pressure of an ongoing incident. Staff might wonder whether they have enough information for another newsletter, whether regulators need to be informed, or whether the scale requires a notification to the shareholders.
Getting these questions out of the way before the incident unfolds is crucial to ease the decision-making. Yet, the process doesn’t just have to be defined. Management needs to practice these in tabletop exercises. Walking real-life scenarios and incidents from within your industry through your plans helps show the gaps in your plan and where to improve your communication and collaboration strategies. If nothing else, they give everyone the confidence to say: “We prepared for this!”
The next Incident is Coming.
No matter how secure the software seems, there will always be another incident. Whether users use insecure passwords, shared session tokens, or a plane security whole, modern IT can hardly keep up with the changing threat landscape.
Being prepared, having a security culture, and judging risk accordingly can help turn an incident from a crisis into a lesson-learned presentation. The last thing anyone should do is say it will never happen to us.