Are you prepared for a Data Breach ?
Every business should be prepared for a data breach …… hackers act indiscriminately and any business could be a legitimate target.
An incident response plan is essential part of the jigsaw in managing cyber risks and does play a very important role in being prepared for a data breach.
The plan should be constantly updated on at least an annual basis with consideration given to the following:-
- Breach experience of a businesses peer group
- Independent third party review of the incident response plan
- Tabletop exercises to ensure effective implementation of the plan
- Appropriate employee training
- Crisis management scenarios played out in order to address changing cyber risk landscape
- Ensure that effective communication is practiced at all levels of the business in the event that the plan becomes operative.
What makes a good Incident Response Plan?
1.Buy in of implementation of plan by all relevant stakeholders to include the legal team , IT , risk management , HR Public relations and facilities management.
2.Board level support lead by CISCO.
3. An on-going synopsis of cyber threats to the business so the plan can be adapted or revised
4. Assessment of any third parties cyber exposures that may impact on the businesses with checks carried out on their own cyber risk posture.
5. Minimum security standards implemented with third party providers
6. The purchase of cyber insurance to support the business and avail assistance of insurers incident response team of professionals.
The Experian Data Response Guide is an annual report that provides plans and processes to implement when a data breach occurs within a business.
The most recent report shows that the awareness is now at a much higher profile that it ever has been with senior management more involved with being data breach prepared. There is still however a lack of confidence in actually being able to manage a data breach. The report also showed that incident response plans were not regularly updated with 35% of businesses not updating this since the plan was first instigated. It was also discovered that very few businesses have a “dry run” to see how the plan would work in practice.
The stakeholders of the incident response plan need to be at all levels from senior board members, finance and HR directors and employees representing different sectors of the business.
General Data Protection Regulations (GDPR)
The GDPR comes into force on 25th May 2018 and with this brings an obligation to protect personal data of individuals with the onus to report any data breach that may impact on such individuals.
It is important therefore that businesses have robust systems in place to manage the appropriate handing of data but also how cope with a data breach should this occur.
This includes who to report the breach to and what to report and make reference to such matters as the nature of the breach, the consequences of the breach and measures taken to address the breach. Systems therefore need to be in place so that this information can be provide to the ICO or other relevant regulatory body.
Experian Data Breach Resolution and Ponemom Institute released an industry study on 27th June this year which revealed that whilst most businesses are aware of global and data security regulations they have not yet have addresses the necessary organizational changes in order to achieve compliance.
The study carried out on 550 IT security and compliance officers entitled “Data Protection & Regulations in the Global Economy” ascertained that only 32% of the respondents still didn’t have an incident response plan in place. Furthermore only 9% of business stated that they were ready to comply with the GDPR next year with 59% stating that they did not know how to comply……
Cyber insurance can help with managing and mitigating a data breach, the following services are included when a cyber insurance policy is purchased :-
- Legal assistance in notifying data subjects that may have lost data
- Forensic Investigation is provided to help ascertain how the breach was caused and if the hacker is still able to infiltrate the computers systems.
- Public Relations to help manage the impact that this might have on the public’s perception of the breach.
- Credit Monitoring services to monitor individuals bank accounts should their date be used to carry out fraudulent transactions.
The appointment of such specialists on an individual basis can be very expensive and it is worth considering this form of insurance for this reason alone.
To sum up an incident response plan is a key piece of armoury to help protect a business from the consequences of a data breach and should be an integral part of the overall cyber risk management procedures and practices.
Image : Shutterstock