What to Do—and Not Do—in the Aftermath of a Breach

Don’t just fix it. Improve it.

Many breached companies jump into action by adding controls or software that defends against the type of attack they just suffered. But they don’t address the underlying vulnerabilities.

“The immediate aftermath is a time to focus on the fundamentals,” says Jamil Farshchi, chief information security officer at Equifax Inc., who joined the company five months after the company’s 2017 data breach. Mr. Farshchi had previously led a rehabilitation effort at Home Depot Inc. after a 2014 breach.

Companies can avoid 99.9% of potential threats that they face if they just enforce a policy of doing the basic things correctly and in a timely fashion, Mr. Farshchi says; things like applying security patches and understanding which devices are authorized to connect to the network.

That was Equifax’s first step in a much greater transformation. Since 2017, it has recruited roughly 1,000 new employees with highly specialized skills as part of a $1.5 billion program to bolster security processes and technology and instill a focus on security as part of the culture of the organization.

Many companies that can’t afford a transformation as large as Equifax’s can improve security in other ways, taking steps that reduce costs even as they bring security up-to-date. Automation, optimization and moving to the cloud, Mr. Farshchi says, all mitigate systemic risks while driving greater efficiency and bringing costs down.

Gregory Touhill, president of Appgate Federal Group and the first Federal CISO under the Obama administration in 2016, urges companies to take a proactive stance by regularly using independent third-party penetration testing, hunt teams and audits to find and fix issues before they turn into problems. Such an approach, he adds, “is a great investment that CISOs and boards can use as evidence that they are exercising due care and due diligence. That builds trust and confidence with regulators, investors, potential investors, customers, partners and the public.”

Don’t play the blame game

After some of the largest breaches in recent years, including breaches at Capital One Financial Corp. , Uber Technologies Inc., JPMorgan Chase & Co., and Target Corp. , removing top executives was seen as the best way to signal that the hacked company was implementing a change in strategy. But, according to one former executive, such a move can have “a chilling effect.”

“Fear and uncertainty will not be your friend when everyone else is in the midst of trying to survive or recover,“ says Stevan Bernard, CEO of Bernard Consulting LLC and former chief security officer at Sony Pictures Entertainment, which he helped steer through an attack in 2014.

The loss of a security leader who may understand what happened better than anyone, and isn’t necessarily to blame, could be damaging.

Do update policies and document changes

It is crucial to establish new security policies and to document what went wrong and how it was fixed. Justine Phillips, a partner in the Data Privacy & Security Practice Group at law firm Sheppard, Mullin, Richter & Hampton LLP, quotes Maya Angelou: “When you know better, do better.”

Incident-response policies defining roles, responsibilities, action items and expectations, she says, “demonstrate a business has learned and will do better next time.”

“Regulators and consumers want to see that companies took reasonable measures to contain, investigate and remediate the event,” says Ms. Phillips, who adds that documenting changes is imperative not only from a regulatory perspective but to ensure the system is threat-free again, without backdoors.

Such steps also can be a catalyst for measuring security effectiveness, something most companies don’t do.

“Most organizations measure things like system uptime, patch and vulnerability data, and pen test results, etc.,” says Mr. Touhill, but rarely do they correlate their metrics with the business metrics, i.e., those that add value to the organization’s core mission, nor use data to determine the efficacy and return on investment.”

Don’t send mixed messages. Do be transparent.

For post-breach communications, honesty and transparency are often the best policies.

Liz Zale, managing director at Sard Verbinnen & Co. LLC, a strategic communications firm, says companies that have suffered ransomware attacks, for example, sometimes mischaracterize the attacks as a “system issue” or “security incident.”

“Inevitably an internal communication or source will leak,” revealing what really happened, Ms. Zale says, “creating external confusion and making the company, including the CISO, look like they aren’t being transparent or candid with external stakeholders.”

Ms. Zale says it is very difficult to walk back statements and change perceptions. “Often communications decisions are not made with the consideration of what narrative it will create for the company.”

Do help others

There is a tendency to not talk about corporate breaches for fear of further reputation damage. But being open and sharing lessons can help everyone in the security community.

Mr. Farshchi says Equifax has shared what it learned with a network of partners, including nonprofits, government agencies, customers and even competitors.

At the very least, if a company shares security knowledge with its suppliers, that can make them and the company itself safer. Rather than share knowledge directly, most large companies typically set minimum cybersecurity standards they expect their suppliers to uphold to avoid being exploited as backdoors into the network.

“No breach is a good thing,” Mr. Farshchi says, “but there can be a silver lining: the chance to share insights that allow other companies to avoid a similar fate.”

Mr. Sloan is research director of WSJ Pro. He can be reached at [email protected].