In the past year alone, there have been more than 2,200 confirmed data breaches globally, and 53,000 incidents where the integrity of a security asset was compromised. These alarming statistics show no signs of slowing down any time soon.
As a result of this rise in cybercrime, corporate IT and security teams have begun ramping up their infrastructure and raising awareness to prevent attacks from occurring.
But preparation and prevention are just the beginning. If and when a data breach occurs, organizations need to take a comprehensive approach to risk mitigation that works to prevent an incident from happening, and has fail-safes in place to recover from an incident should it occur.
Here’s why this approach matters.
Equifax: a teachable moment
In 2017, a months-long data breach into credit reporting agency Equifax exposed the personal information of more than 143 million Americans. As reported in the media, a number of internal errors led to the hack–including out-of-date software, failure to conduct routine security reviews and refusal to adopt widely used best practices.
Instead of leveraging a public-facing communications strategy, Equifax took an approach contrary to best practice–waiting six weeks to disclose the breach and staying quiet amidst consumer and media outcries for updates. As a result of their lack of speed and transparency, the firm continues to face scrutiny and investigation from the U.S. government, media publications, and consumer watchdog groups.
Four tips for handling a data breach
Imagine your company in a similar situation, albeit on a smaller scale than Equifax. How would you handle it?
It is critical that companies realize the importance of having a risk mitigation strategy in place and a recovery strategy to return to business-as-usual quickly without losing public trust.
Understanding that your risks are interdependent and can impact the organization as a whole is why Pinkerton prefers a comprehensive approach to a data breach. Should a data breach or similar incident occur, ensure your organization is best positioned for an efficient recovery with these four tips:
1. Know your responsibility
With the advent of the General Data Protection Regulation (GDPR) and increased focus on data breach awareness under the Fair Credit Reporting Act (FCRA) and similar guidelines, your company should be aware of and have in place communication and resolutions that comply with the law and regulations of the affected jurisdictions.
The time to understand your obligations if a data breach occurs is BEFORE the breach–not after. In addition to the potential damage to your brand, poor or noncompliant responses to a data breach may add additional criminal and civil penalties to the cost of the breach.
2. Be transparent
Aside from the required communication in regard to federal laws and GDPR guidelines, it is necessary to be as transparent as possible with the public about how you are going to fix the problem, to prevent any further damage to your brand.
When developing messaging, lay out a robust solution that explains how similar issues will be prevented in the future and incorporate a timeline that lets people know you are serious about making the investment to improve.
3. Communicate to affected parties
Once a data breach happens, in most cases, you have required legal obligations to communicate immediately with all parties affected. Since the manner of required format of data breach communications vary by jurisdiction, you need to engage your compliance and legal advisors before exacerbating an already bad situation with ill-advised attempts to ameliorate the situation.
Internally, all employees should be informed of the attack and what the next steps will be. Additionally, anyone who is able to help–such as IT specialists, PR teams, and client-facing personnel–should be involved.
Externally, alert the appropriate authorities, and send out direct communications to clients or customers alerting them of the breach, and assuring them that the situation is under control. It’s also important to draft an official media release as a way to get in front of the story, and more accurately control the narrative.
4. Plan for the long term
Dealing with a data breach isn’t a temporary blip. There’s no bandage that can withstand the multi-faceted pressure resulting from this kind of attack. Knowing this is a long-term play should be built into your crisis communications plan from the start.
Employing proactive determination to avoid the issue being repeated–and shifting the focus from your company’s security failings to the positive action it’s taking–will help to kill any negative press or perception, and could even drive a new era of growth and opportunity within the organization.
It’s critical to have preventive security measures in place when it comes to protecting data and information. However, it’s equally important to have a recovery response program defined and ready to go should an incident occur. This will help ensure the right messages are communicated to the right parties while minimizing an organization’s exposure and risk of losing business and, perhaps more importantly, the trust of your target audiences.
To learn more about cyber-crime and data-breach risk mitigation, visit the services area of our website or contact us today.