In the current business environment, data breaches have become all but an inevitability that every company must deal with. Any organization that handles details about their customers, their payment forms or information about the firm itself can become a target for hackers – it's no longer just the large enterprises that are reporting breaches – groups of all sizes in nearly every industry could fall victim to a security incident.
While it is no longer a question of if a breach will happen but when, this doesn't mean that enterprises should wait until hackers infiltrate their systems to take action. There are steps organizations can take to prepare themselves for a breach to ensure they are ready to mitigate the damage before it even happens.
What data does the company have?
One of the first thing company leaders can do to prepare themselves for a security incident involving hackers is to have a plan already in place as to what they will do when an issue of this kind arises. In other words, administrators and employees should know their responsibilities ahead of time, so that they can react quickly if any suspicious activity is discovered on the network or within their internal systems.
In this spirit, decision-makers should have a full understanding of the data they are housing or interacting with in any manner that could present a valuable target for cybercriminals. Dark Reading contributor Kevin Casey noted that administrators should also know why the company is storing or transmitting this information. If the firm doesn't have a full understanding of its data, a breach could case much more damage.
"That can exponentially complicate matters when a data-loss event occurs – you can't very well determine the consequences and communicate them appropriately if you don't know what was at stake in the first place," Casey wrote. "Assess the kinds of data you have, who has access to it, and why."
Furthermore, knowing what information the company has on hand can also help shape the deployment of added protection. For example, if administrators know they have a database chock-full of customers' account information, they should take steps to bolster the security that is currently safeguarding this resource.
Is the organization compliant with industry regulations?
Another proactive measure is to examine any regulations governing the specific industry the company is in. For example, retailers and e-commerce firms must comply with the Payment Card Industry Data Security Standards, which calls for special protections to be deployed within any business that stores or transmits payment card information. The health sector is beholden to the Health Insurance Portability and Accountability Act, which requires the establishment of a completely secure environment for sensitive patient files. Additionally, financial institutions must be compliant with the Gramm-Leach-Bliley Act in order to adequately safeguard their customers' data.
If a breach occurs and the enterprise is found to be non-compliant with industry standards, they could face legal action and hefty fines. However, if the company prepares beforehand, they can not only avoid these consequences but bolster their security to the level that their industry requires.
Who will the business report to and when?
Casey also recommends having a plan in place as far as reporting the breach. The policy should outline what regulatory body the organization should notify about the security incident and how soon after the breach is discovered this announcement takes place.
Craig Spiezle, Online Trust Alliance executive director and president, noted that the company should also have a plan for alerting other groups and individuals connected with the firm, including partnering businesses, customers or other stakeholders. Casey noted that this measure is akin to having an emergency contact list ready.
Determining when to make these notifications, however, can be somewhat difficult. Spiezle stated that this timetable is different depending on the case at hand.
"With law enforcement or other government agencies, it's usually an ASAP scenario," Casey wrote. "Customers and partners are a tougher call."
Spiezle pointed out that you don't want these groups to find out about the incident from another source. At the same time, it's best to collect as much information about the breach as possible in order to provide an informed explanation of the event.
According to Dallas News contributor Pamela Yip, the best policy when it comes to reporting the breach is to be as open as possible. Although a breach can undoubtedly cause harm to the organization's reputation, it's only made worse when the group waits to make the announcement – especially with its clients.
"If you don't tell customers how they've been victimized, they can't take the necessary steps to protect themselves," Javelin Strategy and Research senior analyst Al Pascual told Yip. "Plus, it looks bad on the business. It reality, it does look like they're holding back."
Being prepared can go a long way toward mitigating this damage, though. When the business has a plan in place as to when it will notify its customers and what it will say, it helps these actions to be carried out as quickly as possible. Taking this approach will not only ensure that the media doesn't have a chance to make the announcement first, but will also help reduce the amount of distrust felt by clients after the fact.
"Release clear, descriptive and prompt notifications," Javelin Strategy and Research recommended in a report. "Notifications that describe in detail how a breach occurred can bolster and organization's claims that they have corrected the security vulnerability … restoring some degree of confidence among customers."