Dealing with a Data Breach

data breach

This volume of data held is good thing in a number of ways – for example it has never been easier to shop online or to quickly find a customer’s details. But, as with everything, there are a number of drawbacks.

A key risk is that if data that an organisation holds, whether about customers, suppliers or even their own staff, falls into the wrong hands it can have some very serious consequences. For example a data breach of this kind will not only damage an organisation’s reputation and standing, but it is also going to be very expensive too.

What’s more, the costs are rising year by year. According to figures included in research by the Ponemon Insititute in 2011 the average cost to an organisation for a data breach was £1.75 million but by 2013 this figure had risen by 15 per cent to £2.04 million. And while the most serious data breaches tend to hit large organisations, smaller businesses can be victims too – with possibly even greater consequences as they may not be as well equipped to deal with the incident.

The best cure – prevention
That’s why it’s absolutely vital that every organisation is aware of the risks and already has plans and policies in place long before any incident occurs. The last thing any business wants to have to do is create them after the breach has taken place.

Again, it may be one thing for large organisations to be able to create dedicated teams with responsibility for data security but the situation will be very different for a small to medium sized enterprise. Nevertheless, precautions can be taken and plans can be made.

One of the first, and most critical, steps is to educate employees both about the importance of keeping data safe and the ways in which breaches can occur. This can be done via regular employee training sessions, and can be built upon by a periodic risk assessment. Doing this allows you to analyse potential security holes as your business develops, allowing you to be proactive rather than reactive to potential digital security risks.

If you are a small to medium organisation without your own dedicated security team it is recommended to hire an external digital consultant for your risk assessment. Doing this allows you to utilise the most modern practices, as well as identify flaws that we often become blind too when using systems constantly.

If many of your staff use laptops or mobile devices to access data, it is also recommended that you provide specific training sessions on how to deal with data security when accessing data and sending emails from unsecured or remote servers.

Secondly, it’s a wise move to limit the amount of data you hold about third parties to as little as possible and to limit access to data to staff who really do need it. Sometimes this cannot be helped depending on the nature of your business, however if your SME is reliant on using large amount of client data across a variety of staff it is recommend to try and compartmentalise your data into folders with separate access logins.

This ensures that if there is a data breach in one section of your company there is a smaller probability that it can affect all of your client data. Some companies have taken this further and created a variety of virtual or real servers and created a clearly defined access structure for each.

Thirdly, it’s never a good idea to just assume that your standard encryption procedures will keep data secure. Many people falsely believe that if a standard encryption procedure is broken you are automatically notified and able to attempt to stop the breach.

However online criminals are becoming ever more sophisticated and often we won’t know about a breach until it is way too late, with some criminals simply harvesting data undetected for months until they get the data they desire.

A prolonged data breach is worst case scenery for your company. The only way to stay a step ahead is to always ensure that your security software is the most up to date there is. This isn’t just anti-virus, but all forms of software that help create a line of defence from your server room all the way through to your staff PC’s. It is also important to clearly define with all external data consultants and security firms your rules and standards prior to work being done. This allows you to build a data policy from the ground up.

Plan B – dealing with the breach
Of course, even the most prepared organisation can be hit by a data breach and if it happens to you, the way you deal with the situation is critical.

Ironically, being open about data being accidentally exposed is vital and there is one key group who need to be kept informed. These are the individuals or organisations whose details have been disclosed. It is important that all affected parties are satisfied with the handling of the breach due to the fact that as there is a confidentiality agreement regarding your holding of personal data, you are technically in breach of confidentiality and as such this can lead to lengthy and costly contract disputes. This has a tendency to compound the issue between the business cost and the bad publicity.

What’s more, you should give as much information as possible and be as open as you can be about the possible consequences for them of their data being released in this way.

This may seem like you are opening yourself up to scrutiny, however if people are aware of the data being taken it becomes easier to create new ways of storing it. Such as keeping names, dates and prices on separate worksheets that can all be easily collated when necessary. If you work with firms to develop a way of storing their data that is hard to decipher if stolen, you run less risk of any serious losses financial or otherwise for you or the client.

It is also critical that you discover just how the breach occurred and take positive and effective steps to prevent it from ever happening again. The best way to do this is through an objective and neutral party, and certainly a different person to one that undertakes your period risk assessment.

A neutral party will allow you to develop a clear and credible picture of what went wrong without worrying about damaging personal relationships if human error is at fault, or about their own career if a flaw is revealed that should have been identified sooner.

Do all these things, and do them promptly, and you’ll help to minimize the consequences for your company. And, although it’s going to cost you money and possibly tarnish your reputation in the short term, the way you do behave will be a key factor in just how quickly you manage to put the problems behind you.

Image: Data breach by Shutterstock