Security Researchers and Breach Notifications
How a company responds to a breach notification is just as important as how it tries to prevent breaches in the first place. A screaming headline about millions of records being exposed is almost never how a company learns about its problem. Often, notification comes from a well-intentioned security researcher, or “ethical hacker,” who has discovered the vulnerability and is working in a lawful manner to inform the company in the hopes the vulnerability will be quickly closed.
For example, Google’s Project Zero, a team of security analysts focused on finding zero-day vulnerabilities, has a 90-day disclosure policy. Once Project Zero notifies a company of a vulnerability, that organization has up to 90 days to fix the problem before Project Zero goes public. The idea is that it is far better for the company to be able to say the problem has already been fixed when the problem is disclosed, than for people to see a headline that it has ignored the problem for 90 days and it still exists.
When a notification comes in from a security researcher or other source, the company may have the opportunity to act quickly before any real damage is done. The company should accept the report, ask the researcher for any additional details or other evidence of the vulnerability, and work with the researcher to bring the breach under control and limit the exposure. If there is evidence that sensitive information was accessed, the company should also consult with its legal or compliance department to follow proper disclosure guidelines.
Unfortunately, many companies respond to this type of breach notification by ignoring it or getting angry. Sometimes a company requests an NDA in an effort to prevent the research from going public and turns to company lawyers in hopes of avoiding any public airing of the breach.
This is usually the worst reaction a company can have. Breaches typically become public anyway—sometimes thanks to a frustrated researcher going public out of desperation—resulting in more damage to the brand than if the company simply owned up to the breach in the first place.
Also consider that it is likely that security researchers who reach out to a company are acting in good faith. Otherwise, they would have taken the exposed data and used it for a nefarious and profitable purpose. It is far better to appreciate the efforts of these good-faith security researchers—sometimes all they want is a modest “thank you” in the form of swag or other simple acknowledgement—and you can work with them to resolve the issue and follow any necessary disclosure guidelines.
And rather than sitting back and hoping they never receive a breach notification—or ignoring the problem altogether—companies have the option to proactively mitigate the risk of data breaches utilizing a bug-bounty program, such as Bugcrowd, HackerOne or Open Bug Bounty, or hiring a security consultant, such as Rapid7, The Phobos Group, or others.
Companies that want to successfully defend themselves against data breaches should go beyond cybersecurity technologies. They must reduce the potential for human error and know how to react when something goes wrong. They must also embrace the security research community and engage in cybersecurity training across the organization to ensure the following:
- Developers know how to secure the technology stack they are using.
- Employees understand how to safely handle data.
- Executives and the legal team are familiar with deadlines related to breach notification, as well as any regional, state, federal, or international regulatory requirements, including evolving privacy regulations such as GDPR and CCPA.
The organization must also have an incident response plan in place and regularly run tabletop exercises to test the response process, evaluate its effectiveness, and continually improve it. A security expert should also be added to the staff or at least be easily available for consulting. While no security strategy can ever promise to be 100% effective, given the ever-increasing cybersecurity threats, not taking these steps to protect the organization will almost certainly lead to disaster.