Data breaches are a reality in today’s business world. Experiencing one or hearing about one is no longer a surprise to many, especially professionals in the security industry because there is no wholly secured system. The best line of defence is a thorough and ongoing data security program. Therefore, having the plan to respond to and recover from a security breach is essential for every organization of any size. No company, big or small, is immune to a data breach. Many small and medium companies falsely believe they can elude the attention of hackers or cybercriminals, yet studies have shown the opposite is true. According to the Symantec SMB Threat Awareness Poll Global Results, 40 percent of the data breaches in 2011 were at small to mid-sized companies.
What is a data breach?
A data breach is unauthorized access to, disclosure of, or loss of the personal, health, and sensitive information that an organization holds or processes. This definition, therefore, brings to our knowledge that some organizations may have experienced, for example, losing a USB with copies of personal data without recognizing that was a data breach. Most organizations have only considered hacking or ransomware attacks as data breaches, but it goes beyond just that.
Below are some potential data breach examples:
- Losing a portable storage device (USB, flash drive, external hard disk, etc.), laptop, or other personal devices.
- Loss of hard copy files or papers containing personal details, or disclosure of these files to the incorrect recipient.
- Email errors–emails sent to incorrect addresses, the disclosure of the email addresses of large groups of recipients via carbon copy or attaching personal information inadvertently.
- External attack, access, loss, or disclosure on a third-party vendor implicating personal information for which the organization is responsible.
- Phishing, hacking, or other external attacks on an organization’s information repositories.
- Unauthorized access by a staff member to files containing personal, health, or sensitive information.
Whatever the cause of the data breach, some form of harm can cause the organization’s employees and customers or clients. The harm may include financial, social, reputational, psychological, or physical impacts on an individual and reputational or financial damage to the organization itself.
Since data breaches are becoming more common, how a company responds to one can go a long way to maintaining its business reputation and keeping it from losing the trust of its customers, and avoiding or reducing hefty fines by regulatory authorities. As with any crisis, a quick and decisive response is critical. But here is the problem: most breaches go undetected for a long time. According to FireEye’s 2016 Report, it took organizations across the world an average of 146 days to detect a data breach. A separate report found 81 percent of data breaches are not detected until news reports, law enforcement notifications, or external fraud monitoring. The longer a breach goes undetected, the more harm it can do to your business.
Security breaches committed against you or an organization with access to your personal information are serious crimes and are understandably stressful to the victims. Most data protection laws require private organizations and government entities, which have access to or process personally identifiable information, to notify affected individuals in the event of a security or data breach. So, if you read about a data breach in a news report and are unsure if you are affected, you will probably be notified in the event of an emergency.
As stated clearly by VISA: “Because data compromises are often complex, it is challenging to make the rapid communication decisions needed to mitigate the potential harm of a breach. These situations are often further complicated by the reality that every data breach is different and there may be no precedent within your organization for responding. But the stakes for handling a breach effectively could not be higher, and the impact on your business — depending on a variety of factors — can be huge. The impact of a poorly handled breach can reach throughout your business in both the short and long term: bad press, lost sales, mitigation, and litigation, as well as the uphill battle to rebuild your reputation”
The first step is to identify the type of attack that occurred and which aspects of your data – personal information or organizational data – were potentially affected. If, for instance, the theft was to a company’s payment system, then it is highly likely personal payment information would be at risk. Suppose a security breach got access to personal identification information, such as accessing ID-based information or details–such as passport, Ghana Card, Voter’s ID Card, or driver’s license number. In that case, you could be the potential victim of identity theft.
According to the Cost of a Data Breach Report, data breach costs surged 13% from 2020 to 2022. You cannot afford to be unprepared for a data breach’s aftermath. It is up to you to control the situation and protect your brand in the wake of a data breach’s potentially devastating hold on reputation and also to avoid hefty penalties by regulatory authorities or supervisory agencies.
Data breach response policies are essential for organizations of any size. A response policy should outline how your company will respond in the event of a data breach and lay out an action plan that will investigate potential breaches to mitigate damage when a breach occurs.
When an organization realizes a data breach; whether hackers took personal information from your corporate server, an insider stole customer information, or information was inadvertently exposed on your company’s website, you need to be strategic and tactical in dealing with the incident.
The following are some suggested steps elicited by The Federal Trade Commission (FTC) to take in dealing with a data breach:
- Move quickly to secure your systems and fix vulnerabilities that may have caused the breach. The only thing worse than a data breach is multiple data breaches. Take steps so it does not happen again.
- Secure physical areas potentially related to the breach. Lock them and change access codes, if needed.
- Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the breach and the structure of your business.
- Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and nature of your company, they may include forensics, legal information security, information technology, operations, human resources, communications, investor relations, and management.
- Stop additional data loss. Take all affected equipment offline immediately — but don’t turn any machines off until the forensic experts arrive. Closely monitor all entry and exit points, especially those involved in the breach.
- Interview people who discovered the breach. Also, talk with anyone else who may know about it. If you have a customer service center, make sure the staff knows where to forward information that may aid your investigation of the breach. Document your investigation.
- Do not destroy evidence. Do not destroy any forensic evidence during your investigation and remediation.
- Have a communications plan. Create a comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders. Do not make misleading statements about the breach. And do not withhold key details that might help consumers protect themselves and their information. Also, do not publicly share information that might put consumers at further risk.
- Anticipate questions that people will ask. Then, put top-tier questions and clear plain-language answers on your website where they are easy to find. Good communication up front can limit customers’ concerns and frustration, saving your company time and money later.
- Notify all appropriate authorities. Notify law enforcement agencies, Computer Emergency Response Teams, Cybersecurity Authorities, Data Protection Regulators, or authorities. The sooner law enforcement learns about the breach, the more effective and helpful they can be.
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact the author firstname.lastname@example.org or Mobile: +233243913077