Best practices for responding to a data breach

Over the past couple of decades, computer automation has drastically changed the way business is conducted. Technology has lowered costs and increased efficiency and productivity, but this does not mean it hasn't come without some drawbacks.

One of the biggest disadvantages of relying on using technology to run operations and store information are the risks associated with data breaches.

Image credit: Pixabay

What is considered to be a data breach?

There are several types of data breaches, some intentional, some accidental. While hacking is a serious problem and probably the first thing that comes to mind when one hears "data breach", there are also many other ways information can be breached.

Examples include:
  • An employee loses a laptop
  • A contracted vendor experiences a breach
  • Equipment is stolen
  • An email is sent out to the wrong parties
These are a handful of ways information can be compromise, but there are also many other ways sensitive information can be exposed. For instance, in June 2013 it was reported at least one retailer put the wrong label on a package and sent a customer a load of confidential employee information.

However it happens, either through maliciousness or error, a data breach can be disastrous considering the gold mine of information collected by businesses and other organizations. Exploiters would love nothing more than to get their hands on this information once exposed.

How to respond to a breach

While businesses hope it'll never happen, the reality is data breaches are a fact of life these days. It is important to accurately respond to an incident if information has been compromised. According to Experian, organizations should follow a series of steps in the event of a breach. [PDF]

After the breach is discovered, leadership should initiate an investigation and fix the problem immediately, assembling an internal response team. Depending on the situation and type of breach, law enforcement may need to be contacted; if applicable do so as soon as possible. In some cases, the organization will need to hire outside expertise, which may include public relations, forensics and attorneys, to name a few.

Once these pieces are in place, a public announcement will need to be made, along with a website that is dedicated to the breach. Customers or other individuals affected will need to be notified, by mail or email, and the organization should include tips to victims of how to protect themselves now that their information has been exposed. Possibilities include identity or financial theft, or phishermen seeking to extract more information in order to commit theft. The organization needs to prepare itself for any inquiries and should respond in a timely fashion.

Aftermath of a breach

According to the Experian report, it was noted one of five organizations haven't developed a formal incident response plan. A 2013 Ponemon study revealed organizations can "greatly reduce" the expense associated with a data breach by creating an incident response plan, hiring a chief information security officer (CIO) and a strong IT security stance.

In today's business environments, the possibility of a data breach is no longer something that can be gambled with or ignored. Many countries are increasingly enacting laws related to compromised data.

Not to mention a data breach is a very costly occurrence, which can range in the millions of dollars. It can also have a severe impact on an organization's reputation—some companies never recover. If your organization doesn't have a data breach preparedness plan, it's time to make one.

Comments

Popular posts from this blog

5 warning signs of groupthink in the workplace