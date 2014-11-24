Another consideration is not wanting to let the hackers know they have been discovered, says Ms Moskites, the Venafi CISO. “If the hackers are still inside your system you may have to be creative about how you communicate if you don’t want to alert them.”

There will be difficult discussions about which external bodies — from law enforcement and regulators to customers — must be told. “Nobody wants anyone else involved,” says Mr Smith.

At this stage, companies are often most concerned about making sure news of the hack does not spread. “You want as few people as possible talking about it,” says Mr Smith. “You call the CEO and tell him to keep his mobile phone switched on. You issue a gag order to everyone else.”

But complete secrecy may not be an option. If the cyber attack came from hacktivists who want to make a political statement, news is probably already leaking out. During the Sony hack, several Sony-related Twitter accounts were taken over and posted a picture showing Michael Lynton, chief executive of Sony Pictures, in an eerie environment, surrounded by skeletons and gravestones.

Most states in the US require companies to notify their customers, immediately or without unnecessary delay, if their personal data have been lost. In Europe, some countries, including Germany, Austria, Norway and the Netherlands, have introduced similar laws. EU data protection regulation, due to come into force in 2018, will extend this requirement across all member states. Under the new rules companies can face hefty fines for failing to disclose a loss of data.

Even before the new rules come in, European telecoms companies are obliged to notify regulators about data breaches and if a company holds data on US citizens, it may be required to disclose the breach in the US. Disclosure rules in each US state differ slightly.

“It is a potential nightmare,” says Antonis Patrikios, partner at Field Fisher Waterhouse, a UK-based law firm. “Companies are just starting to realise how complex this can be. It is important to think about your notification strategy before an incident happens. If you leave this to be decided when you are in the middle of dealing with an attack it can be a lot more complicated.”

The company must also consider whether to call the police. Some 2.5m cyber crime offences take place in the UK each year, according to estimates by the government’s Office for National Statistics. “Almost every large organisation will have some kind of breach each year,” says Mr Hatch of BAE Systems. Only a fraction of these are ever reported to the authorities.

“We are seeing companies that are more willing to engage us, but that is not the majority,” says Mr Saunders of the UK government’s National Cyber Crime Unit. “Some have had bad experiences. There are plenty of disincentives for companies on reporting. They don’t want PC Plod to come in and stop them from working. We are trying to become more sensitive to business priorities.”

In the TalkTalk case, the police became involved immediately after the hack was detected, but there was tension over priorities.