Evernote data breach: lessons to be learned

A month on, Davey Winder analyses what others can learn from the Evernote data breach...

Five lessons to learn from the Evernote experience

Mark Sparshott, a director at Proofpoint, points out that companies not only have a legal duty to prevent breaches but also to disclose them to affected customers and partners, as well as increasingly to regulators such as the ICO within a reasonable time.

"In Europe the proposed new EU General Data Protection Regulation will make these responsibilities and reasonable time frames more explicit for companies," Sparshott explains.

Clearly there is the responsibility to protect the customers' interests, but the response from Evernote probably caused more anxiety than anything else.

Not disclosing breaches or being slow to disclose is no longer an option. As evidenced by the Evernote response, it's how that disclosure is handled that's the real issue.

"This type of document is an example of the cross-departmental authorship that must be well coordinated and accurate," says Tim TK Keanini, CRO at nCircle. "Legal, Marketing, and the IT staff all have to get it right and without some practice, something awkward like this is produced."

Lesson 1: Practice makes perfect, so have a plan and act upon it

"My advice is that each quarter, set a cross-departmental scenario where key people in departments play a role and act/document what they would do if some even were to occur. They include users accounts stolen, source code stolen, interruption of services," Keanini says.

"We have mandatory fire drills. It is about time we have mandatory internet security drills. Make as many mistakes as you can in practice so that when it is game day, you can play like a pro."

Calum MacLeod, an evangelist at Venafi, admits that ultimately there is no good way to deliver bad news but insists that erring on the side of caution could be an initial lesson to be learned from the way Evernote handled its response.

"Clearly there is the responsibility to protect the customers' interests, but the response from Evernote probably caused more anxiety than anything else," MacLeod told IT Pro. 

"What you have is a calamitous chain of events starting with the admission that only the passwords were being encrypted. In other words, Evernote was admitting that it either didn't understand the value of the data they were holding, or didn't consider it important enough to encrypt."

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Millions of Volkswagen customers affected by data breach
data breaches

Millions of Volkswagen customers affected by data breach

14 Jun 2021
Misconfigured cloud services exposed 100 million Android users' data
data breaches

Misconfigured cloud services exposed 100 million Android users' data

21 May 2021
Data breach exposes widespread fake reviews on Amazon
data breaches

Data breach exposes widespread fake reviews on Amazon

7 May 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Square to acquire Afterpay for $29 billion
mergers and acquisitions

Square to acquire Afterpay for $29 billion

2 Aug 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021