Preparing and Responding to a Data Breach
By Michael Bruemmer, VP, Experian® Data Breach Resolution & Consumer Protection
Posted: 18th January 2018 08:38
Just as people make resolutions intended to improve their personal and professional lives, businesses should also take the opportunity to make plans for the coming year. What will you do in the new year to make your business more profitable and secure?
May we suggest drawing some insight from Ponemon Institute’s Fourth Annual Data Breach Preparedness Study, when crafting resolutions for your business this year? Here are six things every business should do in 2018 to mitigate cybersecurity threats and minimise the risk of damage from a data breach:
- Update your data breach response plan — assuming, of course, you already have one in place. While 86% of the companies polled by Ponemon say they have a plan in place, less than a quarter (24%) have processes in place to update their plan annually. 29% have never updated their data breach response plan since first implementing it. Because risks and threats emerge constantly, it’s critical to update your plan to address the shifting cybersecurity landscape.
- Hold a “fire drill.” While companies who conduct fire drills of their data breach response plans find value in it (80% said fire drills improved their plans’ effectiveness), 40% of companies still aren’t doing them. Practicing your data breach response can help ensure that when a real one occurs, everyone acts according to plan.
- Prepare for ransomware. Ransomware is a growing problem, yet 56% of the companies Ponemon surveyed said they weren’t confident their organisation would be able to handle a ransomware attack. Worse, nearly half (45%) said they’re not doing anything to prepare for ransomware. Few are taking steps to limit ransomware risks, such as auditing and increasing backup of vulnerable data and systems (43%) and including planned system outage provisions in their business continuity plans (40%).
- Engage your C-suite. Involvement of leadership is key to an effective data breach response, yet 57% of companies have boards of directors, chairmen and CEOs who are not informed and involved in data breach preparedness. 66% of IT professionals say their boards don’t understand the specific security threats facing their organisation, and 74% of boards aren’t willing to assume responsibility for successful implementation of their plan.
- Audit third-party security measures. Your own security measures aren’t the only ones that might need shoring up in the new year. The security of your vendors and others you do business with can directly impact the integrity of your own data and systems. Half of companies now require audits of a third party’s security procedures, 93% require third parties and business partners to notify them when a breach occurs, and 80% require an incident response plan to review.
- Emphasize employee education. Your employees can be your greatest asset — or the weakest link — in your cybersecurity measures. Implementing employee privacy and data protection awareness programs can help reduce the risk of employee negligence or error leading to a cybersecurity event. Don’t just stop with a program that happens shortly after an employee is hired. Education should be ongoing in order to keep employees up-to-date on how to defend the company’s data, systems and customers against emerging cyberthreats.
The need for effective data breach preparedness will only grow in 2018. By making and keeping a few key resolutions, you can help mitigate data breach risks and ensure everyone in your organisation is prepared to react well when one does occur.
A data breach can be a character-defining moment for any company. Whether you’re an international conglomerate or a small business, how you handle a data breach speaks volumes about the kind of company you are, how well you treat customers, and your long-term prognosis for business success or failure.
By mid-October 2017, 1,080 data breaches had exposed a known 171.1 million-plus records, and countless other records may have been compromised in incidents for which the scope of the breach was not yet known, according to data from the Identity Theft Resource Center. Research by Ponemon Institute tells us that the average cost for each compromised record is $141, the global average cost of a data breach is $3.62 million and it takes about a year to restore a breached company’s reputation.
Given those statistics, it’s critical for companies to masterfully handle data breach response at every stage, from pre-incident planning to post-incursion security management. Here are the five worst errors you can make in handling a data breach, and how you can avoid making them:
- Responding too slowly. Every day that a cyberattack goes undetected or detected but unchecked, is another day of escalating damages to your business and customers. Continuous threat detection is essential, so that you can quickly identify an incident. Prevention and remediation technologies need to be continuously updated to ensure you’re able to halt the damage as soon as the breach is detected.
- Over-reacting. Doing or saying too much before you have all the facts can be just as damaging as doing nothing. Keep internal and external communications limited to strictly what you know and what others need to know. Never hypothesize. Likewise, you may be tempted to quite literally pull the plug on computer systems and networks to block the incursion, but that can bring business to a total standstill. Instead, focus on isolating affected systems and data from other at-risk portions of your network.
- Communicating poorly (barely or inaccurately) with affected consumers. Effective communication with affected consumers is not only the law, it’s vital for mitigating reputational damages. Again, keep communications factual, but don’t overlook the need for empathy. Provide affected customers with access to a 24/7 help line that is staffed by customer service representatives trained in data breach response.
- Leaving affected customers on their own. Communicating with customers is critical, but not enough on its own. Studies have shown that consumers expect care and compensation from the company through which their data was exposed. In addition to a help line, consider offering free credit monitoring and/or identity-theft protection products to customers whose information has been exposed.
- Failing to learn from the incident. Every data breach response plan should include a post-mortem component. Don’t wait for the dust to settle to implement it. Begin analysing what occurred right away, looking at how it happened and what you need to do to strengthen your defence in order to prevent a breach from occurring in the same way in the future.
Vice President, Experian® Data Breach Resolution
& Consumer Protection
Michael Bruemmer is Vice President of the Experian® Data Breach Resolution group and Consumer Protection at Experian. The Group is a leader in helping businesses prepare for a data breach and mitigate consumer risk following breach incidents.
With more than 25 years in the industry, Michael brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity theft protection services.
Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.