What if my Business is Next?
Regardless of cybersecurity proficiency, no organization is safe from data breaches. That’s why it’s critical that every business develops and documents an Incident Response Plan. Your response plan will outline steps your organization should take if you suspect data has been compromised. The quicker your business follows the plan, the better off you will be, and you will be in position to mitigate the impact the data loss will have on your business.
According to the 2018 IBM Cyber Resilience study, 77% of businesses worldwide do not have an incident response plan applied consistently across their organization.
Reviewing recent 2018 breaches, you’ll begin to realize that even corporations such as Marriott, Amazon, USPS, Google+ and Facebook are susceptible to cybercrime. If fraudsters can infiltrate these large enterprises, imagine what they can do to small and medium-sized businesses (SMBs). It’s only a matter of time, and the time to prepare your organization is now.
Building Your Breach Response Team
It is critical that key personnel are trained and understand their responsibilities to effectively respond when a security breach occurs. By identifying and containing a breach you can save yourself a lot of money. Establishing an incident response team reduces the cost of a data breach by as much as $14 per compromised record.
When developing a data breach response plan, it is crucial that activities across teams are coordinated diligently to reduce the chances for unintentional errors.
IT and Security personnel should be continuously assessing your company’s data security gaps and training on how to detect vulnerabilities and apply necessary security measures. They are also the first responders for the containment and mediation of a breach. According to the 2018 Cost of a Data Breach Study by Ponemon, companies that identified a breach in less than 100 days saved more than $1 million compared to those that took over 100 days. A Legal Team may need to work alongside IT depending on the severity of the breach to identify legal obligations and provide advice.
Human Resources will serve as the frontline for communicating with employees, especially if their personal information was breached. They may also help equip employees with resources and best practices for further protecting themselves and their families (both before and after a reported security incident).
The Communications Team is accountable for notifying those impacted, as well as the press. They must work hand-in-hand with the Legal Team to make sure communications are timely and accurate, which can help to minimize the possibility of government-imposed fines from regulations such as GDPR and PIPEDA.
Developing a Breach Communications Plan
As a reputable business, you are responsible for notifying law enforcement, other affected businesses, partners, employees and customers of the potential information disclosed. Post data breach communications may include explaining how the incident occurred, what information was compromised, what actions have been taken to remedy the situation, and how your business intends on protecting affected individuals. It’s important to note that your employees or customers will respond with questions and that you should be prepared with answers, such as a formal Q&A document. In addition, be prepared for inquiries to surface via phone calls, e-mails, social media, and press. Keep your communication honest and timely as this will help you maintain strong relationships with your customers.
State and federal laws dictate the notification requirements of your business. Some states require immediate notification while others allow up to a 90 day grace period. The chances for litigations and fines are diminished as your business familiarizes with these requirements. Being timely with your notification also promotes an honest demeanor, helping protect your businesses reputation and helping avoid customer turnover.
Training and Awareness
For your Incident Response Strategy to be effective, employees should periodically practice with simulated breaches. If an event does occur, response team members should be familiar with the processes within the plan and ready to jump into action. When executing your plan, keep a keen eye on potential roadblocks and make improvements to the framework with every rehearsal. By making your Data Breach Response Plan a routine, you can help your organization be better prepared for an actual breach.
Proactive Tips for Businesses in Today’s Breach Environment
Be Prepared: Don’t wait until a breach occurs to create your Response Plan.
Protect Your Employees, Customers, and Partners: Arm your business with identity protection tools as an added layer of defense.
Practice Makes Perfect: When a breach occurs, it should not be the first time personnel are going through your business’ Incident Response Plan.