There was a point, a few years ago, when the language among security professionals evolved from talking about how organisations should prevent data breaches to how they should respond when a breach inevitably does happen. The necessity of that shift is underlined by a recent report from SecureLink and the Ponemon Institute, which shows that half of organisations have been breached by a third party in the last 12 months.
According to Paul Balkwell, Vice President – International at ZIX | AppRiver, such alarming stats don’t mean that organisations should give up on preventing breaches, far from it.
“The report shows that a number of breaches can be attributed to outsourcing business functions to third-party vendors,” says Balkwell. “While that seems like an easy win for businesses, there’s a cost and a very real threat to granting third parties access into your internal systems and networks.”
“That’s true of many aspects of business,” he adds. “A short-term cost-cutting measure can end up costing the organisation if it results in a data breach.”
Balkwell also points out that this is especially true when it comes to implementing security measures.
“No organisation should simply trust the default security measures that come with the products and services they use,” he says. “They should also make use of third party security firms that offer 24/7 support, offer threat detection and response, secure backups, and keep you compliant with regulations.”
Even with all of that in place, a data breach response plan is still critical.
“The first step in such a plan is to have a data breach response team in place,” says Balkwell. “The team should be drawn from departments across the organisation, including customer care, executive leaders, IT, and HR. This team should also include external partners (if you don’t have them internally) such as legal counsel, communications, forensics, and your technology providers. Everyone in this team should be aware of what responsibilities they have when it comes to responding to a data breach”.
Once the team is together, simulating different event scenarios will assist the team to work together to execute the planned response.
“While there may be some technical work that needs to be done in the event of a breach, the real emphasis should be on communication,” he adds. “Internally, everyone within the organisation should have an accurate idea of what caused the breach and what steps are being taken to minimise the damage and secure customer records. While employees may not talk to the press, they will talk among themselves as well as to friends and family. If they have a clear idea of what’s going on, they can help create a sense of calm and avert unnecessary panic”.
According to Balkwell, it’s also important that organisations include communication with regulators and legal authorities in their breach response plans.
“There are a couple of important reasons for this,” he says. “First, it is increasingly a legal requirement — thanks to legislation such as GDPR — that organisations inform authorities of breaches. Secondly, having a good relationship with regulators and legal authorities means that they can guide the organization and its impacted customers on whether they need to take any additional steps to those already being undertaken”.
Perhaps the most important part of the response plan, however, is customer communication.
“Security breaches that compromise customer data almost always negatively affect customer confidence,” says Balkwell. “In order to regain that confidence, it’s vital that organisations get information out as quickly as possible — either as reassurance or as notification that their personal information has been breached, and what they should do about it No matter who it’s addressed to, this communication should be calm, informative, and factual.”
Stay safe and refine
Ultimately, an organisation’s data breach response plan should allow it to go into ‘safe’ mode in the event of a breach. This, in turn, should allow it to run system checks to identify the breach, alert a task team and communicate to affected parties, service teams, the information regulator, and media accordingly.
“In order for this to happen, Balwell says, “it’s vital that the plan is repeatedly tested and refined. This not only stops people getting complacent, it helps keep the plan fresh in the face of new threats and employee turnover”.
“Backing up regularly and securely is also critical to breach recovery,” he concludes Your backup provider should be able to address the unique needs of laws such as GDPR and any others that impact the jurisdiction you operate in. This includes, but is not limited to, its choice of data centre, data encryption, at-rest and in-transit rules, and the ability to purge backups. Additionally, adopting a backup provider shouldn’t impact on your organisation’s ability to do business”.