Three ways companies suffering breaches can reduce risks to their customers

On March 1, 2021 I wrote a short article about a data breach most people have never heard of. The victim was a company called DriveSure, which provides software to car dealerships that aims to help with customer loyalty through intelligent use of service records and other data.

It’s fairly easy to check for publicly visible evidence that indicates when an organization is committed to fixing the vulnerabilities that led to a breach.

Best practices for reducing risks after a data breach, in addition to normal remediations

Here are 3 ways that companies who suffer breaches can help their customers immediately…

1- Issue a breach notification press release, and post PR information on the website

A company that experiences a breach is expected to not only notify affected customers, but to make the incident public, so that customers who couldn’t be reached are able to find information about how they may have been affected.

Very little news could be found about the DriveSure data breach after the event, anywhere on the web, and the company’s website doesn’t have any easily found pages or posts that describe the nature of the breach, how it impacted customers, or what they are doing to remediate the situation.

In contrast, some companies are very forthcoming about security incidents, which does cause the bad news to trend for a while, but in the longer term, the transparency and accountability shown usually builds stronger trust among customers.

2- Offer assistance to affected customers.

Normally, when personal data is compromised, the affected company will offer assistance to reduce risks (which would be announced in their PR materials around the event). When sensitive consumer data has been affected, it often includes a year of credit monitoring services from credit bureaus such as Equifax or TransUnion.

Because I couldn’t find any published breach notification about the DriveSure incident, and don’t have access to whatever private communications were sent to their customers, I don’t know if DriveSure offered to pay for credit monitoring services to impacted consumers (customers of DriveSure’s car dealership customers).

3- Review and update basic DMARC settings in DNS to reduce impersonation email attacks

DMARC settings are controlled through an organization’s Internet DNS settings, including published information about how email messages that are apparently sent from the domain should be handled. It is not a guarantee to prevent phishing, but it makes it much harder for attackers to spoof the email domain when approaching their customers or people who trust the organization.

The publicly available tool called mxtoolbox.com can be used to test any domain and see if they have configured their settings to minimize the risks of their domain being used in phishing attacks that impersonate them. DriveSure’s DMARC settings can be freely analyzed with this tool at no cost. As of the date of this post, the MX Toolbox tool did not report finding a DMARC record or any DMARC policies ing the drivesure.com DNS records.

If the DMARC settings are set properly, it is likely that when a phishing email is received that is apparently from the trusted domain, but has some discrepancies, it may fail the DMARC test, and would likely be routed to a quarantine or spam folder in the receiver’s (target’s) mailbox.

I’ll be checking news and website information for other organizations that have suffered security breaches recently, to see if they are following these easily verified practices after a security breach.

Publicising the implementation of a security awareness training program

In addition to the above items, an organization can also show accountability and leadershp easily by publicly stating that they are implementing a reputable and effective security awareness training program for their staff. Click Armor’s gamified learning challenges and simulations provide a much more effective way to improve employees’ resistance to phishing and social engineering attacks.

If your organization is looking for ways to show leadership, accountability and a commitment to building a secure team, book a call by clicking on the button below.