Preparing for a Data Breach: 6 Steps Your Company Can Take Today

All posts

It’s not a matter of if, but when.

This has become a common refrain in the world of information security, and for good reason. The “it” in question here is, of course, a data breach. Catastrophic breaches like those that befell Marriott and Equifax may dominate news cycles, but smaller, less headline-grabbing incidents happen all the time. For the individuals affected, the consequences are no less catastrophic. Sensitive personal information, company reputation, careers, and legal fallout are all on the line.

At your company, it’s probable the mere mention of the word “breach” already strikes fear in the hearts of the Chief Information Security Officer and the data security rank-and-file. It may not be quite as top-of-mind within other business functions, but that doesn’t mean other employees shouldn’t feel responsible for the company’s data-protection practices. Everyone should be trained in good data hygiene practices—and be expected to remain vigilant for common threats like phishing attacks.

These are all well and good, but at some point they (probably) won’t be enough. Hacking strategies evolve rapidly. Somewhere down the line your company may face an incident, and the manner in which your company responds should be a critical part of your overall security strategy.

In other words, you know you need to focus on prevention while expecting the worst. But what are the practical steps to do so?

Let’s take a look at few good first steps you can implement immediately. You’ll notice a common theme: focusing on preparedness.


1) Put strong plans in place—now

You should have your breach response plans and processes well-documented ahead of time. There’s no one-size-fits-all approach here: these plans can be highly detailed and specific to the market and types of data your company deals with. At a minimum, you’ll want to identify key personnel, responsibilities, communication protocols, and timelines.

2) Hire the right people

When businesses hired a senior-level executive such as a chief privacy officer (CPO) or chief information security officer (CISO) to handle the situation and direct customer-trust initiatives, they lost fewer customers and thus minimized the financial consequences. Make sure they’re equipped to do their job effectively.

Even with this level of professional expertise, your company may not be able to handle everything. Don’t be afraid to bring in outside help.

3) Timing matters

The timing piece is critical. You should set SLAs for reporting breaches to government agencies, regulators, clients, and customers. In the United States, for example, just about every state has its own requirement for reporting deadlines.  A great summary of these differences is found in a report from Baker & Hostetler, which summarizes data breach laws by state. The GDPR, meanwhile, requires that companies report breaches within 72 hours.

Another thing to consider: all else being equal, the longer it takes to discover a breach and fix it, the more expensive it’s going to be. The study reports that the average time to identify a data breach is 197 days and to contain it is 69 days (both year-over-year increases). The research claims companies that manage to contain a breach in less than 30 days save over $1 million compared to organizations that do not.

4) Don’t forget the customer

This part boils down to two things: empathy and communication. Place yourself in your customers’ shoes and understand their concerns—they’ll be (rightfully) upset. Address the situation openly and transparently, including the nature of the breach and the type of data impacted. Further, organizations that offered identity protection to impacted individuals retained more customers than those that did not. You can also learn a lot from the Marriott debacle.

5) Put the right solutions in place

Security systems can be automated, replacing or assisting human operators in the detection of a breach in the first place. It’s extremely important to ensure these defenses are kept up-to-date to respond to the latest security threats. They can offer an immense help when human efforts come up short.

6) Test, test, test

Finally, but certainly not last: test your plan. There’s no such thing as being too prepared, and you’ll want to be sure your response plan is sound before a real breach occurs. Better to spend the time and energy on stress-testing it now, rather than expending orders of magnitude more energy responding to a catastrophe.

A tool that can help

Improving data breach response plans, automating processes, and keeping key personnel up-to-date are no small tasks. You’ll want a central location where you can document your breach response plans and processes. When a crisis hits is not the time for strategy and planning — you want your security team focused on executing your response plans. LogicGate’s IT Security Risk Management module empowers risk professionals and entire organizations to prepare for and respond to data breaches, ultimately reducing potential risks and costs, and enabling your business to focus on business.

For more on Risk Management, check out LogicGate's webinar below on The Critical Actions to Survive a Data Breach in 2019 & Beyond.

Download Webinar



All posts

Related Posts

View all posts