Businesses thrive by proactively planning for sales, growth, and staying ahead of industry trends. Internal meetings are held and models are developed to help companies predict, prepare, and ensure a growing bottom line. But despite all of this forward thinking, business often overlook ongoing planning for another important area that can have a large impact on their bottom line – a data breach leading to data loss.
Phishing attacks, malware, hackers, and human error can all cripple a business. The cost of lost data continues to increase year over year. According to June 2016 Ponemon Institute study, the average cost of a lost or stolen record has increased from $154 to $158. The total cost of a data breach has increased from $3.79 to $4 million in 2016.
While more businesses are implementing BYOD best practices and cybersecurity policies, it’s important to note that effectively implementing a plan takes practice. Revisiting plans and exploring alternative responses is paramount for a business’s cybersecurity. Yet, an October 2015 Experian data breach preparedness study found 35 percent of organizations admitted to not having reviewed or updated their response plan once since it had been put in place.
Creating, examining, and testing a business data breach response plan is essential to help safeguard your company in the event of a breach. Earlier this month, Experian released a comprehensive Data Breach Response Guide, which outlines how businesses can create, implement, and practice a plan in the event of a breach. The following takeaways are from this report.
Create a Plan
A data breach preparedness plan is critical for your business, as it allows you to react swiftly and prevent further data loss in the event of a breach. It can also help your business avoid significant fines, and even costlier customer backlash. In total, the Ponemon Institute states that an incident response plan can reduce the cost of a data breach by an average of nearly $400,000.
During the chaos of a data breach, it’s difficult to decide which departments and individuals should help navigate the aftermath of an attack. It can also be hard to determine which third parties to include. When creating an internal data breach plan, consider including the following individuals and departments:
Incident Lead: This is usually a company’s chief privacy officer. This role will help determine the full response team needed to address the breach. They should also help manage the company’s efforts, ensure proper documentation of the incident, and act as a liaison between the C-Suite and other team members.
Executive Leaders: It is important to have steady communication with your business’s leadership team. Include the board of directors and stakeholders when creating a plan. This will help ensure that future decisions have the support of investors.
Human Resources: A data breach will most likely affect your employees and their sensitive data. Include HR representatives to help develop internal communications for both current and former staff, as well as organize meetings within the company.
Information Technology: Your company’s IT team will likely be paramount in detecting and stopping a breach. Your security department should be tasked with identifying the top security risks to your organization, as well as training personnel on how to preserve evidence in the event of the attack.
Legal: Internal legal and privacy experts can help your company minimize the risk of litigation and fines following a breach. This team should help address how to notify affected individuals, as well as members of the media, government agencies, and law enforcement. They should also be the final sign-off for incident materials.
Public Relations: When reporting a breach to the media or notifying individuals, consider including a PR firm. These specialists can help track and analyze media coverage, respond to negative press, and create consumer-facing materials related to the breach.
Customer Care: This group is essential for keeping abreast of customer concerns. This team should help develop phone scripts, log call volume, and vet customer questions and concerns.
Third Parties: Lastly, take care before an incident to create partnerships and pre-breach agreements with local and national law enforcement, state attorney generals, and forensic teams. Forging partnerships in haste, after a breach has occurred, may result in working with a less-qualified partner.
Testing Your Plan
Once completed, an incident response plan should be practiced. A data breach will affect every aspect of a business, and every team must know how to properly respond. Conducting a breach simulation exercise is an excellent way to replicate the challenges of such an event.
When running a simulation exercise, consider the following:
Enlist an Outside Facilitator: Invite an individual or organization from outside your company to serve as a moderator and help execute the drill. This will allow your team to focus on the response.
Schedule Plenty of Time: Give your company upwards of four hours to conduct the drill and discuss challenges faced and blind spots.
Include Everyone: Make sure this data breach drill includes all of the departments outlined above. Anyone who has a role in a breach response should be included.
Test Multiple Scenarios: Test multiple scenarios that can lead to a breach, like an internal breach, external attack, accidental data sharing and loss, or theft of a physical device. Also discuss events that can take place before, during, and after a data breach.
Debrief Afterwards: Each team should review and discuss the lessons learned from the drill, and outline what they can improve on in the future.
Repeat Every Six Months: Make your data breach response plan a priority, and regularly hold simulations with teams.