Whilst data breaches can result in substantial fines that can hit company finances hard, they have many, often more immediate, impacts. Businesses that do not respond quickly and decisively at the first sign of a data breach will find themselves constantly struggling to play catch-up. This means that when the fine hits they are often in such a weakened state that they cannot recover. The brutal truth is that 66% of small to medium businesses go out of business after a data breach.
Large companies often don’t fare much better. Whilst they may be better equipped at dealing with the financial impact of a fine, the reputational damage can be immense. Once businesses have lost sensitive data it can be almost impossible to convince customers that they are a trustworthy organisation. Throughout 2017 companies large and small suffered data breaches, the overall impact of which was larger than it needed to be. If you want to mitigate the impact of future data breaches, and hopefully prevent them, here’s what you need to know.
When a data breach occurs, businesses must know exactly how to react immediately. A data breach requires an immediate response from every part of your business. Your IT and business teams will need to locate and close any vulnerabilities in your IT systems or business processes and switch over to Disaster Recovery arrangements if they believe there has been a data corruption. Your business units need to invoke their Business Continuity Plans and you will need to stand up your executive Crisis Management Team.
Your speed and effectiveness of response will be greatly improved if you have at your fingertips the results of your Data Protection Impact Assessment (DPIA) that details all the personal data you collect, process and store, categorised by level of sensitivity. If companies are scrambling around, unsure of who should be taking charge and what exactly should be done, then the damage caused by the data breach will only be intensified.
Be open and honest
A data breach is never ideal, but if your business suffers one it is important that you inform those that are affected as quickly as possible. This will allow them to implement their own self-protecting measures. We live in a highly connected world with hyper-extended supply chains and therefore having a crisis communication plan that sets out in advance who needs to be contacted should a breach occur will mean that important stakeholders don’t get forgotten in the heat of the moment.
Failing to inform people in a timely manner can be very costly indeed. In 2017, it was revealed that Uber kept quiet about a data breach that affected 57 million people for more than a year. Regardless, of the reasons behind Uber’s silence, when the news broke there was a public outcry that damaged the company’s reputation so badly that it’s shares suffered a 30% loss.
The Information Commissioner’s Office (ICO) compiles quarterly statistics about the main causes of reported data security incidents. In the last quarter, four of the five leading causes in cases where the ICO took action involved human errors and process failures. Therefore, whilst, once a breach has occurred, it is important that IT administrators comb through network traffic archives to look for any abnormal activity it is equally important to look at your business processes and ensure that your DPIA is up to date.
If the breach is a criminal matter, make sure you pass on any and all relevant evidence to the police so that those responsible can be brought to justice.
Pre-empt future attacks
Prevention is always better than cure. Therefore, rather than wait until you suffer a data breach and find out the hard way what threats and vulnerabilities you have in your IT systems and business processes we recommend that you take action now.
It is good business practice to continuously monitor risk, including information risk, and ensure that the controls are adequate. However, in the fast-paced cyber world where the threats are constantly changing this can be difficult in practice.
However, by partnering with an external provider such as Sungard AS, you have access to all the specialist skills and capabilities you need to make sure that your organisation is as robust as it can be and is ready and able to spring into action to minimise the impact of a data breach.
For example: our security professionals can conduct physical and logical penetration testing and check your organisations susceptibility to social engineering; our business process professional can ensure that you have effective business continuity and back-up solutions in place; and our crisis leadership team can provide executive coaching to ensure that your C-suite have the skills, competencies and psychological coping strategies that will help them lead your organisation through the complex, uncertain and unstable environment that is caused by a data breach and emerge the other side stronger and more competitive than when you went in.