How to limit the impact of data breaches

IBM's Wendi Whitmore offers advice about how to defend against and respond to data breaches.

How to limit the impact of data breaches

At the Black Hat USA 2019 cybersecurity conference in Las Vegas, CNET and CBS News Senior Producer Dan Patterson spoke with IBM's Wendi Whitmore about how to defend against and respond to data breaches. The following is an edited transcript of the interview.

Wendi Whitmore: A huge component of breach response nowadays is ultimately how do we communicate to the public about it. In a Harris poll, 75% of consumers had said they will not do business with an organization that doesn't protect their data. The reality is consumers have a hard time really affecting that given the large volume of organizations that have been breached.

So, what we encourage is that organizations go through immersive planning and preparation that not only talks about how do we respond but more importantly, the communications. There are examples of breaches that have been massive, where the CEO of the company came out, provided Twitter statements, was viewed widely as really being on top of the actual breach response because of the fact they said, hey, we're going to incur costs for whatever it costs to do what's right by our customers.

When you have that level, what they generated was consumer confidence and competence in their business organizations, their clients, that actually was a watershed moment for that organization in a really positive way. So, from that perspective, there are ways organizations can very proactively defend against these and respond in a way that's going to be beneficial to their organization.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The reality is that while some of the numbers are negative, in terms of it's taking longer for organizations to identify and contain, the cost is going up. The reality is we're actually seeing organizations who are being very effective at responding to these attacks. Oftentimes, they're ones you're not hearing about in the news. Those organizations are doing the things we've talked about where they have good visibility into their environment. They can detect what's going on in terms of actions on hosts, identify when something is potentially malicious and the wind here is limiting the impact.

That means we want to make it more expensive for an attacker. That means it takes them longer to execute whatever it is they're trying to do. And we want to make it less expensive for the organization of defenders. So, we can put in more tripwires, allow their defenders to see more quickly what's going on, and then limit the impact of that attack. So that, maybe five accounts get compromised, but we don't have 500,000 that get compromised in a matter of hours. That's a win for that organization. The reality is, we can't have the expectation that organizations should just stop all breaches. That's not a win. That's not reality today. It may not be for some time, but can they limit the impact so that their client data isn't lost and they limit the amount of destruction in their environment? Absolutely.

SEE: Apple opens up hacker-friendly iPhone to researchers at Black Hat (CNET)

Healthcare records, they're the most costly kind of record out there because the data is extremely rich. We're not talking about just a credit card number and an address, we're talking about maybe a medical history, as well. That data can be sold to make money. So, I would actually maybe turn the question, what can consumers do? We actually have some options in this, as well. So, I would look at things like making sure we have two-factor authentication on your personal mail accounts, certainly on your financial accounts. 

Making sure that if multifactor authentication is available, that you're taking advantage of it, you're using it. You're not using the same password for every type of organization that you're working with. You have maybe a password manager, there are great free options out there now. So, there are some things that we, as consumers, can do to make sure that we're protecting our data as well as those organizations that are attempting to do it, as well.

Also see