During a breach, how much information should be given out?

Ask the Expert

During a breach, how much information should be given out?

During the immediate aftermath of a security breach, how much information am I required to give to other people working in the company? As a security professional, do I just need to let them know how business operations will be affected, or should I let them know details of the breach so they know what might have been compromised and where to be careful?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

When thinking about incident response, communication is critical. Organizations need to think about communication in two phases. The first phase takes place during the incident; say as little as possible because it may be unclear who is responsible, and giving away too much could impede a possible investigation. Send out a blanket statement saying there has been a security breach, it's under investigation and the company will have an official statement as quickly as possible. The people that are directly affected need to understand how and what they should be doing, but until the storm blows past, keep a tight lid on information.

In the aftermath of a security incident, it's wise for organizations to do a formal post-mortem. This is the second phase of communication. Employees need to understand what happened, who was responsible and, most importantly, what new processes and/or controls should be implemented to make sure it doesn't happen again. A big part of these lessons learned is to communicate to the staff at large.

Don't point fingers or make an example of anyone, but do use the security incident as an internal case study; it's a great example of how to leverage something current and timely to educate employees. Alternatively, consider using another company's breach as an educational device. Of course, that won't be as timely or effective, but at least it won't be coming on the heels of the company's own breach.

More information:

This was first published in May 2008