As we look back on 2015, it is easy to see the heightened stakes in data breach response.
The U.S. government’s Office of Personnel Management was hacked, with as many as 22 million Americans’ personal data stolen. This includes fingerprints and background checks. One hacker tapped into the director of the CIA’s personal emails and breached a portal that law enforcement, including the FBI, uses to share intelligence and book those arrested.
It’s not just government agencies that fall victim to attacks. Any company that collects sensitive data can become a target for hackers and nation-state actors.
The risks are getting higher for those whose data is breached, too. Javelin Research predicts that by 2018, some eight million people will experience a credit card breach and identity fraud within the same year. There is no doubt that criminals have become more sophisticated and better able to parlay one successful hack into another. Cyber criminals have crafted more elaborate “social engineering” methods—tricking people into compromising corporate security. Phishing schemes still deceive about one in four people, according to the Verizon 2015 Data Breach Investigations report.
This only reiterates that idea that a cyber attack is likely for almost every organization. There are steps that a smart company can take now to help mitigate the damage should a breach occur. Preparing for a cyber attack must become as ingrained in the company culture as a tornado evacuation plan or a fire drill.
One of the key steps to prepare for an effective breach response is to build a data breach response team, which has created—and practiced—a response plan. Make sure that contact numbers for team members—including those for non-work hours and mobile phones—are readily available. A customer support and communication plan should be built into any response and should cover how customers and regulatory agencies will be notified and when, as well as what protections will be offered to those affected.
Proper preparation is only one piece of the puzzle, however. In the event of an actual breach, there are critical steps to take to ensure your organization is able to successfully launch your customer-facing response:
- Immediately assemble the breach response team. Your team should include internal experts as well as third-party partners such as communications and legal experts. A partner experienced in the customer-facing aspects—including responding to the surge in customer demand, answering identity theft-related questions, and providing identity protection services—should be part of the team.
- Review and update the plan. A plan that has been carefully honed in advance is certainly an advantage. But it may not have anticipated some of the nuances of the particular data breach your organization is facing. So, one of the first action steps for the crisis response team is to look at the documented plan and make any changes needed. If there is one guiding principle in any plan, it should be to keep the response focused on your customers.
- Launch the initial response. This includes informing customers, and in some cases, regulatory agencies, about what has happened and how you plan to minimize any damage that results from the event. One significant misstep to avoid: Don’t provide public information that may need to be corrected at some point. Instead, only release the information that is known and confirmed at the time. There is nothing that will breed a lack of confidence more than a constantly shifting explanation of what happened.
As for the customers, this is a good time to let them know exactly how you intend to protect them. Understand, though, that they may be hesitant to provide their information to a third-party service—especially if this data was not compromised in the breach. And they will be suspicious of anything that smacks of an attempt to upsell them. To combat these challenges, lead with the promise that you will repair any harm that comes to them as a result of the incident.
In 2014, there were nearly 80,000 security incidents, according to the Verizon Data Breach Investigations Report. And business news web site ZDNet reported that one billion personal records were illegally accessed in those breaches.
The time for asking “if” a data breach will occur has passed. It’s time to prepare as if one is inevitable.