![\"\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2019\/09\/12182555\/Kaspersky-speaking.jpg\")
<\/a><\/p>\nTo be honest, this wasn\u2019t totally unexpected. Our specialists had been dealing with our clients\u2019 security breaches for quite a while already, and as a security company, we were a particular target. Yet, it was an unpleasant surprise: Someone had penetrated an information security company\u2019s cyberdefenses. You can read about it here<\/a>. Today, I want to talk about one of the key questions that arose immediately: \u201cHow do we communicate about it?\u201d<\/p>\n As it happened, pre-GDPR, every organization actually had a choice \u2014 whether to communicate publicly or deny an incident had even occurred. The latter wasn\u2019t an option for Kaspersky, a transparent cybersecurity company that promotes responsible disclosure. We had consensus throughout the C-suite and started preparing for the public announcement. Full steam ahead.<\/p>\n It was the right thing to do, too, particularly as we watched the widening geopolitical rift and saw clearly that the mighty powers behind the cyberattack would definitely use the breach against us \u2014 the only unknown elements were how<\/em> and when<\/em>. By proactively communicating the breach, we not only deprived them of this opportunity, but we also used the case in our favor.<\/p>\n They say there are two types of organizations \u2014 those that have been hacked and those that don\u2019t even know they were hacked. In this realm, the paradigm is simple: A company shouldn\u2019t hide a breach. The only shame is in keeping a breach from the public and thus threatening customers\u2019 and partners\u2019 cybersecurity.<\/p>\n Back to our case. Once we established the involved parties \u2014 legal and information security teams versus communications, sales, marketing, and technical support \u2014 we began the tedious work of preparing the official messaging and Q&A. We did that simultaneously with the ongoing investigation by Kaspersky\u2019s GReAT<\/a> (Global Research and Analysis Team) experts; involved team members conducted all communications over encrypted channels to exclude the possibility of compromising the investigation. Only when we had most of the A\u2019s covered in the Q&A doc did we feel ready to come out.<\/p>\n As a result, various media outlets published almost 2,000 pieces based on a news break we initiated ourselves. Most (95%) were neutral, and we saw a remarkably small amount of negative coverage (less than 3%). \u00a0The balance of coverage is understandable; the media had learned the story from us, our partners, and other security researchers all working with the right information. I don\u2019t have the exact stats, but from the way the media reacted to the story of a ransomware attack<\/a> against Norwegian aluminum giant Hydro earlier this year, it seems the handling of those news stories was suboptimal. The moral of the story is, never keep skeletons in the closet.<\/p>\n The good news is that we\u2019ve learned from the 2015 cyberattack not only about the technical capabilities of the most advanced cyberthreat actors, but also how to react to and communicate about the breach.<\/p>\n We had time to investigate the attack thoroughly and learn from it. We had time to pass through the anger and bargaining stages \u2014 I mean, to prepare the company for what we were going to say to the public. And the entire time, communication between the cybersecurity folks and corporate communication experts was ongoing.<\/p>\n Today, the time frame for getting ready for a public announcement has shortened dramatically: For example, GDPR requires that companies operating with customer data not only inform authorities about security breaches, but do so within 72 hours. And a company under cyberattack has to be prepared to go public from the very moment they inform the authorities about it.<\/p>\n \u201cWhom should we communicate with inside the company? What channels can we use, and which should we avoid? How should we act?\u201d These and many others are questions we\u2019ve had to answer during the ongoing investigation. You may not have the luxury to work out these questions by yourself in the short time you have at your disposal. But this information and our valuable experience form the foundation of the Kaspersky Incident Communications Service<\/a>.<\/p>\nFive stages of learning to live with it: Denial, anger, bargaining, depression, and acceptance<\/strong><\/h2>\n
Lesson learned \u2014 and passed on<\/strong><\/h2>\n