Evernote data breach: lessons to be learned

A month on, Davey Winder analyses what others can learn from the Evernote data breach...

Brand damage mitigation, post-breach best practice

Yvonne Eskenzi is director of Eskenzi PR, an agency which specialises in IT security, and unsurprisingly has some thoughts of her own on how Evernote handled things on this occasion

"Did Evernote get it right? If you have a look at all the negative press it's clear Evernote got it very badly wrong and this is going to follow them around like a nasty smell for a very long time as more and more people write about it negatively.

Evernote could have so easily avoided this mess if they followed a few basic rules: Preparation we would advise every business to plan for an incident. It's a bit like preparing for a play. Most of the work is done before the performance so when the actors get on stage they are polished, professional and well rehearsed.

Communication [needs to be carried out] clearly, simply and quickly. You can only do this if you have rehearsed and prepared in advance. The Evernote email was clumsy, inaccurate and difficult to understand. Short, clear and simple should do the trick. Be as honest as you can, your customers will always appreciate an honest truthful explanation.

Use every communication method open to you to jump on the rumours before it spirals out of control. If you provide the content people will use it, if you don't people will make it up.

Unfortunately, with social media, speed is of the essence, but that should be no excuse for a badly written inaccurate email such as Evernotes.

Knowledge is king so gain as much knowledge as you can around the incident and get your facts right, combine this with a smack of honesty and you should be fine. If you keep your audience in the loop and keep them briefed you'll win them over.

You also need to decide who is going to be your spokesperson, in the Evernote email, written by the Evernote team, you couldn't get more impersonal that a general sign-off, someone needs to be accountable and you must have a point of contact. You need to decide long before a breach or incident who has the knowledge and personality to stand up in front of an audience and take the flack and handle it!

Make sure they are media trained. This could be the chance for the CISO to shine as they are the ones with the knowledge.

Organisations need to realise that breaches are becoming more and more of an unfortunate part of our lives and it's not necessarily if, but when it's going to happen to you.

Preparation and communication will stand you in good stead, so that when it happens you're not the company caught with egg on your face"

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021
Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021