WARNING: If you haven’t read the Ponemon Institute’s recent “Fourth Annual Study: Is Your Company Ready for a Big Data Breach?” sponsored by Experian, this information may be a bit of a shock to you.
More businesses than ever have a response plan for data breaches, but there are still signs showing that businesses aren’t properly prepared for an attack on their data. Here are some of the numbers from the Ponemon Institute study:
- Almost a third of businesses (29 percent) haven’t looked back at their data breach plan since implementing it.
- More than half (57 percent) companies say that executives and other senior-level employees aren’t involved with activities related to data breach preparedness.
- Less than half (41 percent) of responding businesses were confident that they’d be able to handle a breach that encompassed “business confidential information and intellectual property.”
If data breaches were an infrequent occurrence within only select industries, this might be more understandable. But this isn’t the case. Data breaches can happen at any time, to any kind of business. Don’t be one of the businesses that’s caught by surprise with a breach of any magnitude.
1. Understand the Risk and Consequences of a Breach
It’s mistake to underestimate how likely a breach is for your company and how disastrous the effects could be. Even if you’re a small business, even if you think your data would be of no interest to hackers, you are still at risk for a breach.
If, or rather, when a breach occurs, there are many anecdotes giving you an idea of how disastrous the consequences could be. Since 2005, when data breaches became a serious issue, millions of records have been exposed and thousands of breaches have occurred. High-profile data breaches in the past half-decade, to name just a few, have included:
- Target: The huge Target breach of 2013 is still fresh in many people’s minds because of its effect on millions of Target shoppers’ payment card information.
- Anthem: In early 2015, Anthem experienced a breach of nearly 80 million customer records. This attack was especially disastrous because of the medical nature of the information stolen.
- Department of Homeland Security: Not even the government is safe from data breaches. In February 2016, hackers obtained and published thousands of employee information records, including some 20,000 FBI employees and 9,000 DHS employees online.
- Ebay: Information on more than 145 billion ebay customers, including addresses and login details, was leaked in 2014. Because financial information was kept safe from this attack, it was not as disastrous as it could have been.
All these attacks were of varying severity and cost, but the estimated average cost of a data breach is about $4 million dollars, according to IBM and the Ponemon Institute’s 2016 Cost of Data Breach Study: United States.
2. Involve Multiple Stakeholders in the Breach Management Plan
It needs to be clear who is in charge of what, long before a breach ever happens. Having designated roles and leaders will aid the execution of any data response team. It’s also been shown that the costs of a data breach decrease when a security leader is put in place. When a whole team is ready to respond to an attack, costs decrease even further, according to the 2016 Cost of a Data Breach Study from the Ponemon Institute and IBM.
3. Plan How You’ll Respond to the Public
Following the 2013 Target data breach, Target issued a series of press releases about the incident. The releases included a formal apology, information for how to contact Target about individual questions related to the breach, and facts and updates about the breach.
After any company crisis, whether it’s a data breach or a social media scandal, it’s key to take control of the situation from a communication aspect as early as possible. (Though it’s also key to take the time to formulate a measured and thought-out response.) Silence on the part of your company after a breach can make you look negligent or ambivalent about the situation.
Involve PR and customer service in your data breach planning so you know how to communicate an issue to your customers en masse and individually.
4. Prepare for Any Kind of Potential Breach
Because breaches can come from many places, it’s important to be prepared for every eventuality. A common, yet unpredictable source of breaches is your employees. That’s why training on best practices for security should be enforced for all teams and workers, even those not involved in the data breach management team.
5. Regularly Practice & Update Your Plan as Needed
As we mentioned at the very beginning of this article, 29 percent of businesses reported not looking back at their data breach plan after they’d created it.
You can’t reasonably expect even the best data breach response team to pull off a crisis plan without a hitch if they haven’t practiced. Experian recommends doing a large test of your response protocol once a year, at a minimum, in addition to smaller, more frequent tests. Taking the time to prepare for a breach can pay off in the long run by reducing the cost related to a breach, according to a SANS Institute Report referenced by CSO Online.
6. If a Breach Happens, Understand Why and How You Can Prevent Further Issues
A breach may be costly, bad for business and embarrassing, but it’s possible to learn from an incident so you avoid making the same mistakes again. Though breaches can be a learning tool, you don’t have to wait until a data breach happens to learn from the mistakes of other large companies.
You may not be able to predict when or how it will happen, but it’s not unlikely that your company will experience a breach at one time or another. Being proactive and creating a plan that you rehearse and keep updated is one of the best ways to not be taken by surprise when a breach occurs.
Looking for a data collection solution that prioritizes security? Learn more about our Enterprise and Compliance Cloud plans.