Phishing attacks have become an epidemic. Approximately 3.4 billion phishing emails are sent worldwide each day, making it the leading attack vector in 41% of all data breaches. And it’s not just e-mail—phishing has expanded to voice, text, social media, and even fake websites, targeting users across multiple platforms to steal sensitive information and compromise accounts.

The aim of a phishing scam is to steal your credentials, and it’s no wonder why—according to Verizon, 86% of data breaches in 2023 involved compromised credentials.  And AI is making the various phishing schemes easier than ever – from improving the quality of the e-mails themselves and removing the tell-tale grammatical errors to using fake voices in vishing scams, the effectiveness of these scams is only increasing.  

Below, we explore the different types of phishing and how they work, and then discuss how you can protect yourself from this ever-growing threat.

Classic Phishing Attacks

Classic phishing attacks typically involve deceitful emails designed to trick recipients into revealing personal information or clicking malicious links. These emails often mimic legitimate companies or organizations to gain the victim’s trust. Google intercepts around 100 million phishing emails daily, but that leaves quite a few still making it through. Telltale signs of a phishing e-mail are links that do not look right (perhaps a misspelled domain name like amazone.com or extra words like amazon.customersupport.com), some odd grammar choices, and a sense of urgency that seems out of place (“update info now or your account will be disabled!”)

SMShing (or Smishing)

“You won a $1,000 gift card!” “USPS cannot deliver your package, click here to update your address!” “Unusual activity detected on your bank account!”  Chances are, you’ve gotten a text message like that, which is an attempt at SMShing, or phishing via SMS.  Like e-mails, they often contain an unusual sense of urgency and some misplaced links, but the link shorteners commonly used in legitimate text messages make these harder to spot.  Always go directly to the company’s website to confirm any messages asking you to do anything (and any US government entity like the USPS or IRS) is not going to communicate with you solely via text.

If you’re in the US, did you know you can forward SMShing messages to the FTC?  Send to 7726 (AKA SPAM on your phone’s keypad) and it will help your wireless provider identify and block these messages in the future.  

Vishing

Vishing (short for “voice phishing”) is a type of phishing attack that uses voice communication, typically phone calls, to deceive victims into revealing sensitive information, such as login credentials, financial details, or personal data.   A very common one in the US purports to be from the IRS, threatening penalties and jail time due to back taxes.  This one has been around for a while – a viral video from 2018 shows a police officer in Midland, Texas talking to a scammer who tells him to clear his back taxes by buying Apple gift cards or the police would be en route to arrest him within 45 minutes.    

Spear Phishing

Spear phishing is a refined and highly targeted form of phishing that requires more effort and research from the attacker. Unlike general phishing, which casts a wide net hoping to snare any unsuspecting victim, spear phishing focuses on specific individuals or organizations. Attackers gather detailed information about their targets to create highly convincing messages that appear legitimate and relevant.

These attackers often utilize information from social media profiles, company websites, and other publicly available sources to customize their approach. The crafted messages may reference recent activities, personal interests, or professional responsibilities, making them difficult to distinguish from genuine communications. This personalization increases the chances of the victim being deceived.

For instance, an attacker targeting an executive might send an email that appears to be from a trusted colleague or business partner. The message might discuss a recent meeting or project, encouraging the recipient to click on a link or download an attachment. Once the victim takes the bait, they could unknowingly download malware or reveal sensitive information, potentially compromising the entire organization.

Spear phishing is not limited to email. Attackers may also use phone calls, social media messages, or even physical mail to carry out their schemes. Given the targeted nature of these attacks, they can have severe consequences, including data breaches, financial loss, and reputational damage.

Recognizing and defending against spear phishing requires a keen eye and a proactive approach. Employees should be trained to scrutinize unexpected communications, even if they seem to come from known contacts. Encourage staff to verify the legitimacy of suspicious messages by contacting the sender through a different, trusted method.

In addition to awareness training, employing technical defenses can help mitigate the risk of spear phishing. Advanced email filters, multi-factor authentication, and robust cybersecurity protocols add layers of protection. By combining vigilance with technological safeguards, individuals and organizations can better protect themselves against the sophisticated tactics of spear phishers.

Whaling

A whaling attack is a highly targeted phishing attack aimed at high-level executives, such as CEOs, CFOs, or other senior leaders within an organization. The goal is to deceive these individuals into sharing sensitive information, transferring funds, or granting access to confidential systems.  Unlike the first two methods, these attacks are often carefully crafted to appear legit, banking on busy executives who may get careless with doing their due diligence.  In addition to the usual compromised credentials, they might also target intellectual property or strategic competitive intelligence (but they’re not above wire fraud, either!)

Clone Phishing

Clone phishing is a type of phishing attack in which a legitimate email or message that the victim has previously received is copied (“cloned”) and slightly altered by an attacker. The goal is to trick the recipient into believing the new, fraudulent message is a genuine follow-up or update.  

This might not seem different than regular phishing, but the key is that it’s coming from a trusted source.  For instance, during the Okta breach, the targets were customers who had actually used Okta support recently.  Since they might be expecting a message from Okta, the recipients might have understandably not been as vigilant as normal in spotting any irregularities.  

Angler Phishing

Angler phishing is a type of social media phishing attack in which cybercriminals impersonate customer service accounts to deceive users into revealing sensitive information or downloading malware. The term “angler” comes from the way attackers “fish” for victims on social platforms.  When you consider that messaging company accounts on Facebook and/or Twitter has become an established way to get better support than going through traditional channels like phone or e-mail, this type of attack targets users who are already frustrated (and thus perhaps more likely to be careless.) 

Reducing Phishing Risks with Passwordless Login

Transitioning to passwordless certificate-based authentication is a promising strategy to counter phishing attacks. This method uses certificates for authentication, eliminating the need for passwords altogether. This means attackers cannot steal passwords through phishing, significantly reducing the risks of compromise.

In addition to a higher level of security, passwordless authentication simplifies the login process for users. Instead of remembering complex passwords, authentication is handled through the secure exchange of cryptographic keys, where a digital certificate issued by a trusted authority verifies the user’s identity. This enhances security and improves the user experience, making it more convenient and efficient.

Organizations adopting passwordless authentication can benefit from reduced helpdesk calls related to password resets and improved compliance with security policies. This transition also aligns with modern security standards and best practices, positioning organizations ahead of evolving cyber threats.

Embracing passwordless authentication can fortify your defenses against phishing and other cyberattacks, paving the way for a more secure and user-friendly digital environment.

Cyber threats are evolving faster than a Marvel movie villain, leaving enterprises in a high-stakes game of survival. Robust threat intelligence isn’t just a competitive edge—it’s the shield that separates secure organizations from the next headline-grabbing breach. But what does “threat intelligence” actually mean in a practical sense, and how can organizations harness it effectively?

Threat intelligence refers to the process of gathering, analyzing, and acting upon information about potential or active cyber threats that could impact an organization. It’s not just about detecting threats but understanding the “who,” “what,” “why,” and “how” behind them. This intelligence enables businesses to stay ahead of malicious actors, minimize vulnerabilities, and strengthen their cybersecurity posture proactively. 

Why Threat Intelligence Is Crucial for Enterprises

Threat intelligence isn’t just about reducing risk—it’s about operational resilience and strategic advantage. Here’s why enterprises need it:

1. Proactive Defense: Understanding the tactics, techniques, and procedures (TTPs) of attackers helps organizations anticipate and thwart threats before they escalate.
2. Incident Response: Real-time intelligence enables faster, more effective responses to cyber incidents, minimizing potential damage.
3. Regulatory Compliance: Many regulations, such as GDPR, HIPAA, and others, require organizations to demonstrate they have proactive measures in place to protect sensitive data.
4. Strategic Insights: Beyond IT, threat intelligence can inform broader business strategies, especially in industries where intellectual property theft or espionage is a concern.

However, effective threat intelligence requires the right combination of tools, technologies, and processes.

Key Cybersecurity Technologies Needed for Effective Threat Intelligence

Building a comprehensive threat intelligence program means leveraging cutting-edge technologies that can collect, analyze, and act on intelligence in real-time. Let’s explore some of the key technologies every enterprise should consider—and why Network Access Control (NAC) deserves a prominent spot in your arsenal.

1. Network Access Control (NAC): The Gatekeeper

• Why It Matters: Imagine your enterprise network as a VIP lounge. NAC is the bouncer, ensuring only authorized and secure devices can enter. But it’s not just about access—it’s about dynamic access control based on real-time intelligence. Modern NAC solutions like Portnox do more than check credentials. They evaluate device health, compliance with security policies, and behavior, enabling Zero Trust enforcement. For instance, if a device connected to the network starts behaving suspiciously or becomes non-compliant with policy, NAC can immediately quarantine it, preventing lateral movement.
• How It Integrates with Threat Intelligence: NAC serves as both a data source and enforcement mechanism for threat intelligence. It provides real-time visibility into every device on the network, including IoT and BYOD devices—often weak points in enterprise security. When combined with threat intelligence feeds, NAC can automatically block or isolate devices flagged as malicious, effectively preventing breaches before they spread.

2. Endpoint Detection and Response (EDR): Sherlock Holmes for Endpoints

• Why It Matters: EDR tools are your digital detectives, continuously monitoring and analyzing endpoint activity to detect suspicious behavior. These tools provide detailed forensic data that can help identify the root cause of incidents and prevent future occurrences.
• How It Integrates with Threat Intelligence: EDR platforms utilize threat intelligence to detect known indicators of compromise (IOCs), such as malicious files or IP addresses. They also feed back information to threat intelligence systems, enriching the overall knowledge base with new data on emerging threats.

3. Security Information and Event Management (SIEM): The Nerve Center

• Why It Matters: SIEM systems collect, analyze, and correlate security event data from across the enterprise. Think of it as the command center where all logs and alerts converge, enabling centralized monitoring and response.
• How It Integrates with Threat Intelligence: SIEM platforms are most effective when integrated with external and internal threat intelligence feeds. They can correlate logs and events with known threat signatures, flagging anomalies that might otherwise go unnoticed. Additionally, they provide historical data, allowing enterprises to determine whether a newly identified threat has previously impacted their systems.

4. Threat Intelligence Platforms (TIP): The Analyst’s Toolkit

• Why It Matters: TIPs act as a hub for collecting, analyzing, and sharing threat intelligence data. They aggregate information from multiple sources—such as open-source feeds, commercial providers, and internal telemetry—and present it in an actionable format.
• How It Integrates with Threat Intelligence: A TIP ensures that threat intelligence isn’t just raw data but actionable insights. It can automatically prioritize threats based on risk levels, enabling security teams to focus on what matters most. When integrated with NAC, SIEM, or EDR systems, TIPs can enable automated responses, such as blocking malicious domains or isolating compromised devices.

5. Cloud Access Security Brokers (CASB): The Cloud Watchdog

• Why It Matters: With the shift to cloud-based applications, protecting sensitive data stored and transmitted in the cloud is a growing challenge. CASBs enforce security policies, monitor user activity, and detect anomalies across cloud environments.
• How It Integrates with Threat Intelligence: CASBs leverage threat intelligence to identify and block malicious cloud activities, such as suspicious file uploads or unauthorized access attempts. They also provide visibility into shadow IT, a significant blind spot for many enterprises.

6. Deception Technology: Honeypots and Honeynets

• Why It Matters: Deception tools create fake environments that lure attackers, allowing organizations to study their methods without risking actual systems. These tools provide invaluable intelligence on attack tactics and behavior.
• How It Integrates with Threat Intelligence: Data collected through deception technology can enrich threat intelligence feeds, offering real-world insights into attacker methodologies. This information can then be used to strengthen defenses across the board, including NAC policies and endpoint security.

7. Artificial Intelligence and Machine Learning (AI/ML): The Smart Assistant

• Why It Matters: The sheer volume of data generated by modern enterprises makes manual analysis impractical. AI/ML models can sift through this data to identify patterns, anomalies, and emerging threats.
• How It Integrates with Threat Intelligence: AI/ML powers predictive analytics, enabling enterprises to anticipate attacks before they occur. It can also enhance existing tools like SIEMs and NAC systems by automating threat detection and response based on historical and real-time intelligence.

8. Vulnerability Management Tools: The Fixers

• Why It Matters: Knowing your vulnerabilities is half the battle. Vulnerability management tools scan systems, applications, and networks for weaknesses, providing actionable insights on how to address them.
• How It Integrates with Threat Intelligence: These tools can cross-reference vulnerabilities against threat intelligence data to prioritize remediation efforts based on the likelihood of exploitation. Combined with NAC, they can enforce access restrictions on vulnerable devices until they’re patched.

Building a Holistic Threat Intelligence Ecosystem

While each of these technologies plays a critical role, the real magic happens when they work together. Here’s how enterprises can create a unified threat intelligence ecosystem:

1. Centralized Data Sharing: Use platforms like SIEM or TIPs to consolidate data from all sources, ensuring a single source of truth.
2. Automation: Integrate systems to enable automated responses, such as NAC isolating a compromised device based on EDR alerts.
3. Continuous Learning: Regularly update threat intelligence feeds and train AI/ML models with new data.
4. Visibility and Control: Leverage tools like NAC and CASBs to maintain visibility and enforce security policies across all environments—on-premises, cloud, and hybrid.

Securing the Future: Why Threat Intelligence Is Your Ultimate Cyber Defense

For enterprises, threat intelligence is more than a buzzword—it’s a lifeline in the ever-changing cybersecurity landscape. By leveraging technologies like NAC, EDR, SIEM, and others, organizations can move from a reactive to a proactive security posture. Network Access Control, in particular, stands out as a linchpin technology, bridging the gap between visibility and enforcement in the fight against cyber threats. With the right tools and a strategic approach, enterprises can not only defend against today’s threats but also stay one step ahead of tomorrow’s.

And remember, in cybersecurity, the best offense is a well-informed defense. So arm your enterprise with intelligence—it’s the smartest move you’ll ever make.

Artificial Intelligence (AI) is reshaping industries at an unprecedented pace, promising groundbreaking advancements in productivity, innovation, and decision-making. However, alongside these opportunities come significant risks—ethical dilemmas, data privacy concerns, algorithmic biases, and potential security vulnerabilities. For organizations embracing AI, it’s not just about deploying technology but doing so responsibly. 

This is where Chief Information Security Officers (CISOs) step into a leadership role. CISOs, traditionally tasked with safeguarding enterprise networks and data, now have the opportunity to drive responsible AI adoption within their organizations. By understanding and mitigating AI-specific risk scenarios, CISOs can help ensure AI is both safe and aligned with broader business goals. 

Here’s how CISOs can lead the charge for responsible AI.

1. Assessing AI-Specific Risk Scenarios

AI introduces unique risks that CISOs are well-positioned to address. These include:

• Data Integrity Risks: AI models rely heavily on data. If the data feeding these models is corrupted or manipulated, the AI can produce harmful or inaccurate outputs.
• Algorithmic Bias: AI systems can unintentionally perpetuate or amplify biases present in training data, leading to discriminatory outcomes. For example, biased hiring algorithms may favor certain demographics over others.
• Cybersecurity Threats: AI systems are vulnerable to adversarial attacks, where malicious actors manipulate inputs to deceive the AI. Additionally, models themselves can be stolen or reverse-engineered.
• Ethical Challenges: From facial recognition systems to generative AI, ethical concerns abound regarding how AI is used and the societal impact of these technologies.

CISOs should work with data science teams to map out these risks and establish robust safeguards. A comprehensive risk assessment is the first step in embedding responsible AI practices into the organization.

2. Driving AI Governance and Policy Development

AI governance is essential for ensuring that AI initiatives align with ethical, legal, and organizational values. CISOs can play a pivotal role in establishing clear policies that guide AI development and usage. Key components include:

• Data Governance: Ensuring that data used to train AI models complies with privacy regulations like GDPR or CCPA and is ethically sourced.
• Model Auditing: Creating processes for regular audits of AI models to identify biases, vulnerabilities, or performance issues.
• Usage Guidelines: Establishing boundaries for AI usage, particularly in sensitive areas like surveillance, hiring, or healthcare.

By collaborating with legal, compliance, and ethical review teams, CISOs can ensure that governance frameworks are comprehensive and enforceable.

3. Educating Stakeholders on AI Risks and Opportunities

For AI to be adopted responsibly, everyone from the C-suite to frontline employees needs to understand its risks and opportunities. CISOs can take the lead in providing education and training on:

• Data Privacy: How AI interacts with sensitive data and the importance of maintaining compliance.
• Bias and Fairness: The implications of biased algorithms and how to mitigate them.
• Security Best Practices: Protecting AI systems from adversarial attacks or intellectual property theft.

These efforts not only build awareness but also foster a culture of responsibility around AI.

4. Building Security into the AI Lifecycle

AI security isn’t a one-and-done task. It must be integrated across the entire AI lifecycle:

• Development: Work with data science teams to implement secure coding practices, protect training datasets, and avoid embedding vulnerabilities in AI models.
• Deployment: Ensure that AI systems are regularly monitored for anomalies, patched against vulnerabilities, and configured with secure access controls.
• Post-Deployment: Continuously evaluate AI performance and security, incorporating feedback loops to improve resilience over time.

CISOs should adopt a DevSecOps approach for AI, embedding security into every stage of development and deployment.

5. Advocating for Transparent and Explainable AI

One of the biggest challenges in responsible AI adoption is the “black box” problem—AI systems can be opaque, making it difficult to understand how decisions are made. This lack of transparency can lead to mistrust and potential regulatory scrutiny.

CISOs can advocate for the use of explainable AI (XAI), which prioritizes transparency and accountability. By working with AI engineers, CISOs can push for models that provide clear, interpretable insights into their decision-making processes. Transparency is not just an ethical imperative—it also reduces risks by enabling organizations to detect and correct errors more effectively.

6. Collaborating with External Ecosystems

Responsible AI adoption doesn’t happen in a vacuum. CISOs should actively engage with external stakeholders, including:

• Regulatory Bodies: Staying ahead of emerging AI regulations to ensure compliance.
• Industry Peers: Sharing insights and best practices for responsible AI deployment.
• Third-Party Vendors: Assessing AI tools and solutions for security, privacy, and ethical considerations before integrating them into the enterprise.

Collaboration ensures that the organization remains informed and aligned with broader industry trends and standards.

7. Preparing for the Worst: Incident Response for AI

Despite the best safeguards, AI systems can still fail or be exploited. CISOs should extend their incident response plans to address AI-specific scenarios, such as:

• Unauthorized access to AI systems or models.
• Manipulation of training data leading to compromised outputs.
• Ethical breaches or regulatory violations stemming from AI usage.

Having a robust response plan ensures the organization can act swiftly and decisively in the face of AI-related incidents.

Conclusion: CISOs as Champions of Responsible AI

In the rush to embrace AI’s promises, organizations cannot afford to overlook its risks. CISOs, with their expertise in risk management, security, and governance, are uniquely positioned to lead the charge for responsible AI adoption. By assessing risks, driving governance, fostering education, embedding security, and advocating for transparency, CISOs can ensure that AI serves as a force for good within their organizations.

The path to responsible AI is not without challenges, but with strong leadership, CISOs can guide their organizations toward a future where AI’s opportunities are fully realized—securely, ethically, and responsibly.

Unpacking the Okta Data Breach: How It Happened

In recent years, the increasing frequency of data breaches has raised concerns among businesses and consumers alike. The Okta data breach serves as a stark reminder of these vulnerabilities, especially considering that in 2024, the average total cost of a data breach in the United States reached a staggering $9.36 million. This incident not only highlights the financial implications of such security failures but also underscores the importance of timely detection. With an average of 194 days taken globally to identify a data breach in 2024, which is a slight improvement from 2023, , organizations must prioritize their security measures to mitigate risks and protect sensitive information.

Who is Okta?

Founded in 2009, Okta is an identity and access management company. It was a forerunner of single sign-on, and many companies adopted the Okta portal to reduce the number of passwords users have to deal with. Okta also provides API access management, MFA, and other IAM solutions.  

Discovery of the Breach

The Okta data breach started when an employee’s Gmail account was compromised.  They had logged into their personal Gmail on their work laptop and also saved their work credentials in Chrome.  The compromise led to malware being installed on the laptop, which was used to gain access to Okta’s support system.  The hackers targeted the unsanitized HAR files submitted by Okta’s customers during the normal troubleshooting process.  The hackers then went to these companies and tried to breach their systems, largely without success. 

It was 1Password, an Okta customer, that first alerted Okta of suspicious activity that they suspected had originated with Okta in late September of 2023.  Okta suspected that 1Password had been the victim of a phishing attack and dismissed the claim.  

A few days later, on October 2nd, BeyondTrust uploaded a HAR file to Okta support while working on an issue.  A HAR file is a log of a web browser’s interaction with a website and is useful for diagnosing performance and other issues. Within 30 minutes, they saw an attacker attempt to breach the BeyondTrust Okta environment using a valid session cookie.  Thankfully, they had authentication policies in place that only allowed trusted users on trusted devices to access their Okta environment.

On October 17th, using the information provided by BeyondTrust, Okta pinpointed a service account with unusual activity that had previously gone unnoticed.  The service account and all associated sessions were terminated.  

On October 19th, Okta notified 1Password, Cloudflare, BeyondTrust, and a couple of others that they had been impacted by a data breach. At this time, Okta believed these were the only customers impacted.  

Finally, in December 2023, the full scope of the breach was revealed. The hackers gained access to the files of 134 different customers and also downloaded a report listing the names and e-mail addresses of all customers who had used Okta support. These were used to launch phishing and other targeted attacks against the companies who had the bad luck to have needed Okta’s support.  

What next?

After notifying the impacted customers and the appropriate regulators, Okta set to work. As an identity provider, transparency and thoroughness were the only hope of regaining customer trust. 

1. Independent Forensic Investigation: Okta engaged Stroz Friedberg, a leading cybersecurity forensics firm, to conduct an independent investigation, which confirmed the company’s initial findings and identified no further malicious activity.
2. Security Enhancements: In response to the breach, Okta implemented several security improvements, including:
   • Zero Standing Privileges for Administrators: Ensuring administrative roles are assigned only when necessary and for limited durations.
   • Multi-Factor Authentication (MFA) for Critical Actions: Requiring additional authentication steps for high-impact administrative tasks.
   • Enhanced Session Security: Implementing measures to detect and block requests from anonymizers and applying IP binding to Okta products and the Admin Console.
   • Restricting API Access: Enforcing allowlisted network zones for APIs to prevent unauthorized access. 

Oka deserves credit for being forthright with how the breach happened and what steps they took to prevent it from happening again.  While Monday morning quarterbacking always takes place after a major breach, there are plenty of large organizations that had – undoubtedly still have – similar (or worse!) Holes in their security posture.  

A Better Way Forward

Some of the remedial actions taken highlight a critical problem that security measures often face – security comes at the expense of the user experience.  It makes sense to session-limit administrators, and enabling MFA ensures that a compromised password will not result in widespread access, but one can imagine the poor Okta admins constantly having to reauthenticate and fumbling for their phones to accept a push notification or find a one-time passcode a million times over the course of a single work day.  Besides the massive inconvenience this poses, it isn’t really addressing the real threat – after all, compromised credentials are the cause of over 80% of all data breaches.

Passwordless authentication is a rarity in that it is not only more secure but a significantly better user experience.  Rather than racing to get a push notification or waiting for a text message, the authentication process happens with no user intervention required.  Not only is this a win for users and security, but IT staff have far fewer password issues to deal with as well.  

An ounce of prevention is worth a pound of cure, as the saying goes, and while Okta set the standard for a clear, transparent post-breach response, the data breach itself serves as a reminder of the vulnerabilities inherent in traditional security methods.  Looking towards the future with passwordless authentication will stop the next breach before it happens (and let you put your phone down once in a while!)

What drives data breach costs?

The worldwide cost of a data breach in 2024 averages around $4.88 million, which is a 10% increase over 2023.  If you are unlucky enough to be a victim of ransomware, the cost is 10% higher, at$ 5.37 million. And if you’re in the United States, the average cost almost doubles to $9.36 million.  What exactly are you spending all this money on?  Let’s dive deeper into the costs of a data breach.

Where does it all go?

According to IBM, there are four key categories to spend money in post-breach:  

Detection and Escalation

Detection is about finding the breach (and determining the extent of it) as fast and ideally as early as possible.  When a data breach is detected, the first priority is to figure out what has been compromised, how far the hackers got in, and how to plug the hole.  Costs associated with this might include a new messaging system – communicating via your existing e-mail or instant messenger might tip the hackers off as to your plans, which will prevent you from being able to contain the damage.  You might need more robust network monitoring, firewalls, SIEM (security information and event management) systems, and more. 

Time is of the essence during the detection phase – the longer it takes, the more expensive it will be to unwind.  It takes around 194 days to find a data breach, with an additional 64 days to contain it – that’s a lot of time for a bad actor to have access to your systems.  The longer detection takes, the more expensive the breach is.  

Escalation begins the process of notifying internal stakeholders.  IT and any Security personnel are often the first to know.  It’s crucial to loop in customer-facing organizations like support and sales early in the process, as they are the first points of contact your customers will often make when reaching out to you.  You will want to have a statement crafted that can be sent out, which will likely involve marketing. 

Notification

Moving on from internally, next will be letting the world know – this will include regulators, customers, and the general public. Hiring a  PR firm to help craft a statement is a smart move, and you’ll surely want to retain legal counsel to make sure you don’t make your situation any worse.  Doing this in a timely manner is crucial so that you don’t run afoul of any regulations.  There are several laws in different countries that have time-bound requirements; for instance, GDPR requires notification within 72 hours of discovering a data breach.  In this stage your customers will have questions – probably a lot of questions – and it will be all hands on deck, not just for sales and support, but product and marketing as well.  Maintaining accurate, clear, and consistent communication with customers, the press, and regulators is of paramount importance.

Post-Breach Response

This is a crucial, make-it-or-break-it time for companies; after the initial announcement, there is likely a great deal of attention laser-focused on you, your business, your customers, and any other person or organization in your orbit. A good post-breach response will help restore lost confidence, and hopefully minimize the impact of lost business.  

An excellent example of a post-breach response comes from Okta.  When they were breached in 2023, although only less than 150 customers were impacted, their communication was transparent, forthright, and thoroughly detailed what they found and their next steps.  

Lost Business Cost

Inevitably, when you suffer a breach, you will lose some business.  Some customers will leave, some prospects will go dark, and some current customers will reduce the amount they spend.  While that’s inevitable, you will also suffer the loss of future plans – your roadmap, feature development, and all other work will grind to a halt as the data breach becomes a black hole that sucks all activity in, and everyone focuses on the other three areas we’ve covered.  Your UX team will become QA testers; your marketers will become support reps; and your customers will be clamoring for answers you may not have yet.  It will take a long time, with a lot of intense effort, to return to some semblance of normal.

Each of these efforts alone can run up costs in the millions of dollars; combined altogether it’s easy to see why breaches like Target run into the hundreds of millions of dollars.  Given that these costs are projected to continue to skyrocket, and you probably have many other things to spend $10 million dollars on, it’s worth it to invest in training and security tools to keep your organization safe.