Any organisation handling sensitive customer data at some point is going to face the challenges of an attempted or successful data breach. According to the Ponemon Institute Cost of a Data Breach Study 2018, one in four organisations will suffer a data breach in the next two years.
So, when you have just learned that your business has experienced a data breach, you are probably wondering what to do next. Find out how you should respond to a data breach in this blog.
What is a data breach?
A data breach or incident occurs when an unauthorised party accesses private data. Whilst this usually means that it is either stolen, copied or deleted, it doesn’t have to be: evidence of an unauthorised user merely viewing the data can be considered a breach.
A data breach can occur in several ways, and there are a broad range of different techniques that hackers can use to access an organisation’s data assets.
Quite often some of the most advanced attacks are well-researched and use several different techniques over a long period of time.
Social engineering is often one of the key factors in these attacks, as these techniques are psychological as opposed to technical, and persuade employees to give away legitimate credentials like passwords that can help attackers to circumvent the automated technology protections that are in place.
What are the main risks associated with a data breach?
Loss of reputation
If you aren’t looking after your customers’ data, then you could be exposing them to unnecessary risk. This is particularly the case if it’s sensitive data like credit card information, which would then undermine their confidence in you as a supplier and their willingness to do business with you in the future. It can also affect your share price: a 2018 study found that breached companies routinely underperform in the stock market long-term.
The obligations around data protection breaches are very serious. The regulatory environment is becoming a lot stricter, such as with the GDPR regulations, which can result in some very large fines for companies that aren’t taking appropriate measures to protect data.
Loss of revenue
Loss or reputation can sometimes translate immediately into direct revenue loss, either because your customers turn away from a supplier considered unsafe, or because the loss of data halts revenue-earning transactions, or both. In addition to which, breaches can cause downtime, which can also directly affect revenues in the here and now.
Threat to Intellectual property
Important information about your own business could be compromised, such as who you are working with or other sensitive information such as product designs, and your organisation could be disrupted or disadvantaged as a result.
How to deal with a data breach
Don’t wait for the breach to happen before working out what your process will be, because then it will be too late. You need to work out what your response process is ahead of time in a Cyber Security Incident Response Plan (CSIRP), so that you can be the calm in the eye of the storm and co-ordinate the response and recovery effort. It may seem obvious, but the PwC Global Economic Crime and Fraud Survey 2018 found that only 30% of organisations have a cyber response plan in place.
Create a team
A breach can affect all areas of an organistion, and effective communication across the business is key. Clear thinking and swift action are required to mitigate the damage.
Make sure you appoint the right team to deal with the cyber security attack, and appoint a leader with overall responsibility, such as the CIO. Make sure there are representatives from many areas of the business, such as IT, communications, and legal.
These representatives need to be more than just names on the list, they must actively contribute to the formulation of the plan and take responsibility for ensuring that it is either implemented or that employees are aware of it, as appropriate within their respective business areas.
Find out what happened
In the case of an actual breach, you need to make sure you know exactly what has happened by performing a data breach analysis. Data breaches aren’t always clear-cut and easy to understand. Take time to piece together what went wrong and address the root cause to how this happened in the first place.
Ensure you have appropriate systems and processes in place to be able to analyse activity before, during and after an event. Internal security is about more than just prevention: many customers recognise that the chances of being breached are very high and post-breach Cyber forensics are becoming as important as prevention in the first place.
You need to be able to understand the specific corrective actions that need to be taken and ensure that processes are in place to implement them rapidly. This might include installing patches, resetting passwords, disabling network access for computers affected by viruses, recalling emails, deleting information, and disabling links, to name a few. However, care must be taken to ensure that these actions wouldn’t compromise any investigation. Use of third-party incident-response services should be considered if you have any doubts about your ability to respond internally with sufficient speed and comprehensiveness.
Notify the relevant parties
Communicating and reporting a data breach at the right time is important. For serious data security breaches, proactive notification is generally the right thing to do. You may still be investigating and not know all the details, but the more information you can give, the better.
In some cases, depending upon the nature of the breach and the measures in place to mitigate the impact, you may only be obliged to notify the authorities and will not be required to make any public declaration or notify your customers. In other cases it will be absolutely imperative that you notify all affected parties immediately. It is vital that you have a detailed understanding of your responsibilities in this regard across all circumstances.
Determine the business impact
The next thing to do is understanding the financial implications so your organisation can plan for the long-term, as the cost and loss in productivity may have serious consequences for operations medium- to long-term. This will also help inform your data breach strategy and budget for the future.
Prevent future data breaches
Having addressed the immediate threat, prevention is the final step. Carry out a thorough post-breach audit to determine whether your security practices can be improved. Read our next section for tips to avoid data breaches in the first place.
How can companies prevent data breaches?
Generally, the logic has shifted from ‘you need to be secure’ to ‘you have to expect to be breached’. There is no silver bullet which makes an organisation fully secure, but there are several actions you can take to minimise your risk of attack and minimise the potential impacts if you do suffer an attack.
Having the right technology in place, the correct architecture, visibility of operations, and the oversight to the human risks are all core factors.
The human element in particular involves having processes in place and the correct education instilling within the organisation. Find more tips in our blog about identifying and protecting your organisation from cyber security threats, and our blog educating employees about cyber security specifically deals with the human element and the importance of cyber security awareness.
There are also some useful security frameworks that have been developed by certain bodies that can provide a valuable reference guide for improving internal processes and procedures. Some of these come with their own formal certification programme, whereas others are merely useful reference models.
For an organisation that needs to address the basics, but doesn’t know where to start, the UK government’s National Cyber Security Centre (NCSC) has formulated Cyber Essentials, which are a set of basic recommendations constituting the bare minimum that any organisation of any size should definitely be doing.
For organisations that are a little further along in the journey and who already understand their current security posture a little better, then there are more detailed and complex frameworks and standards such as NIST or ISO27001 available. Organisations don’t always need to implement these fully, in fact it is not usually appropriate to implement all measures to the letter anyway, with implementation often tailored to the specific business environment. However, these frameworks can be used as a best-practice reference for the organisation and help highlight key areas of risk or exposure.
They don’t have to lead to any kind of public certification or accreditation, but many of them can do, and all of them will help an organisation that is interested in pursuing one. There is a lot of commonality across the different frameworks, so adherence to recognised best practice as embodied in one of them will usually ensure that many certification requirements are already met or at least ensure the gap between where you are and where you need to be is significantly smaller.
Another tip is to understand whether there are any very specific regulatory requirements that your organisation must adhere to. Some environments require tighter controls than others, usually dependent on how sensitive the data that they are dealing with is. For example, if you are processing credit card payments and need to understand PCI DSS regulations.
Our final tip is to seek out third party support if needed. Developing a robust cyber security strategy and finding the right solutions can be difficult if you don’t have the right skills in-house. Whatever your needs in the cyber security arena, Capita’s expert advisory capability can help identify or even fill the gaps and improve your compliance and overall security posture. Contact us to see how we can help.