Disclaimer: Like most other people, I do not know enough about the intricacies and context of Uber's case to comment with certainty. However, with the information that is publicly available and the (very) little I know about security best practices, I've suggested these broad learnings. Needless to say, these are personal views and do not reflect the opinions of my alma mater, employer, family, or spirit animal.

Another name has been added to the recent barrage of businesses being targeted by cyber-attacks. A few weeks ago, it was revealed that Uber faced a massive global breach in October 2016, exposing the personal information of 57 million users and 600,000 drivers. Hot on the heels of the Equifax and HBO hacks, this news has further furrowed the brows of customers and regulatory authorities everywhere.

Amidst all the anxiety, however, there are valuable lessons to learn from the way the hack was executed and the way Uber responded – lessons that run the gamut from security training and compliance to disaster recovery and communication strategy.

Here are my main takeaways:

We’re Only Human

A company can have the most sophisticated security products whirring away at full capacity, but a devastating attack is just one human oversight away. Uber’s attackers were able to cause havoc after they obtained login credentials from an Uber GitHub account. These details – mostly left there by human error – allowed the attackers access into Uber’s Amazon Web Services servers that contained customer and driver information.

This type of entry point for cyberattacks on businesses has long been a pattern. HBO shows were leaked this summer after a Spanish subsidiary mistakenly aired some episodes before time. The infamous Sony attack in 2014 involved ransomware that was either manually installed on unprotected systems or carried through mail vectors that unsuspecting users clicked on. Human error, although varying in magnitude and innocence, has persisted as a thorn in the side of cybersecurity defenses. An IBM report in 2014 found that over 95% of incidents recognized ‘human error’ as a contributing factor. While that number might have dropped since then, it still has some distance to travel.

So, if human error is so pervasive across organizations, what does that tell us? Firstly, we need to make security awareness and training more proactive and engaging. Mix and match those seminars and training mails with live security drills and internal competitions. Realistically, the more engaged employees are while learning security instructions, the more likely they are to remember them and abide by them with time.

Secondly, we need to focus on agility and robustness of response. While designing and implementing incident response measures, we must assume the worst – that breaches will happen – and cover all bases at lightning speed when the breaches do happen. This means having clear hierarchies of responsibility, plans for escalation, communication best practices for external stakeholders, and a best-of-breed product suite, among other things.

When In Doubt, Enunciate

Almost as surprising as the Uber hack itself was the fact that it took place in 2016 and that Uber concealed all news of the attack till now. They also allegedly paid the attackers a $100,000 ransom to delete the data and not publicize the breach to media or regulators.

Security experts across the board have come out in criticism of this decision. “The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach,” said Chris Hoofnagle of the Berkeley Center of Law and Technology.

Uber’s reticence to make the attack public was made worse by the sensitive PII (Personally Identifiable Information) that was breached, as well as Uber’s track record in sidestepping government regulations. In fact, Uber had just agreed to 20 years of privacy audits after the FTC charged them with ‘failing consumers’ after a 2014 data breach. I'm not knowledgeable enough to comment on any legal errors Uber made, but from a customer's point of view, the response has led to a thinning of trust.

Contrast this approach with how HBO handled a data breach back in the summer and some learnings come to light. Even though relatively little PII was compromised, HBO made the breach public immediately, along with the attackers’ demands, and refused to pay the ransom to embolden the hackers further. Although the attack was still very damaging, at least HBO doesn’t have to face regulatory and public brickbats.

Rummaging in the detritus of these attacks, one thing we can learn is that organizations should have a codified communications plan in place as part of disaster and security recovery. As soon as they have an initial idea about breach specifics, companies should make a public announcement to make consumers – and potential victims – aware of the consequences. External stakeholders such as legal and management teams should be kept abreast at all times.

Breaches should be triaged, with set response actions in place for each level of severity. An attempted phishing attack with a few details stolen may not merit the same response as a full-scale insider attack. A disaster response team should ideally be composed of personnel across different functions, so that they can convene regularly and bring their differing skillsets into the mix.

Lastly, organizations should provide free services that enable consumers to better measure and mitigate the impact of attacks. If a financial services firm gets hacked, for example, free credit monitoring services can be offered to the affected parties, both as a moral responsibility and sound business practice.

One thing we can all agree on is that cyberattacks on businesses will continue to happen. Apart from standard security investments, however, prevention of these attacks can be strengthened by making security training more proactive and engaging. When breaches do happen, a clear operating procedure that includes communication plans will go a long way towards engendering consumer trust and meeting regulatory standards.

If you're interested in more security content from someone who's still learning, consider giving me a follow! I also write about football and video games, because I'm immature like that.