In fact, no set of cybersecurity measures can be said to be 100% guaranteed; so feel free to report breaches when they occur, and to bring along all stakeholders in reducing their impact.
As an organisation, it is very important to carry your staff and customers along on the journey of cybersecurity-measures implementation. In the same vein, you are to be transparent with them on every step of the way when a breach occurs. This, I strongly believe, will help in reducing the impact of a breach. You cannot keep your customers in the dark any longer, especially when it comes to matters of cybersecurity. You don’t want your customers to become a weak link in your security structure.
Yes, the concerns of customers have heightened in recently years about measures companies keeping their information are taking to protect them. In some cases it becomes a basis for choosing which organisation to do business with. I am beginning to see some banks send tips to customers via email and social platforms to help them keep abreast with happenings in the digital ecosystem.
In subsequent posts I will share knowledge on basic standard measures that every organisation can use in formulating their own cybersecurity plan.
My hope is that as the Cyber Security Authority-Ghana is framing the National Cyber Security Policy and Strategy (NCPS), they will make it compulsory for organisations to report breaches and not try to conceal them. For fear of being tagged negatively, organisations are going to try and keep mute on breaches they discover. This will not augur well for the bigger goal of ensuring a safe and secure business environment. When we become sincere with breaches, we help others take necessary steps for curtailing possibility of the same happening in their organisations. In some jurisdictions, it’s a must to report breaches when discovered.
The Godaddy example:
November 22, 2021
GoDaddy Announces Security Incident Affecting Managed WordPress Service
On November 17, 2021, we discovered unauthorised third-party access to our Managed WordPress hosting environment. Here is the background on what happened and the steps we took, and are taking, in response:
We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm, and contacted law enforcement. Using a compromised password, an unauthorised third party accessed the provisioning system in our legacy code base for Managed WordPress.
Upon identifying this incident, we immediately blocked the unauthorised third party from our system. Our investigation is ongoing, but we have determined that beginning on September 6, 2021, the unauthorised third party used the vulnerability to gain access to the following customer information:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
- For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
Our investigation is ongoing and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help centre (https://www.godaddy.com/help) which includes phone numbers based on country.
We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.
Chief Information Security Officer
Advantages of Reporting Breaches
When an organisation reports breaches they create transparency, which helps to bring other stakeholders along in reducing the impact. Being sincere in identifying the breach and its cause ensures a proper assessment of the risk can be done for appropriate remediation.
In reporting, try to be open about the issue as much as possible; do not try to conceal things. When customers find out later that you were not sincere with them, you may risk losing them.
While you inform stakeholders about the breach, let them know the steps you are taking immediately to reduce the impact and also any future control plans.