Has your organisation established an incident management plan that covers data breaches? Recent evidence shows that organisations are ill-equipped to deal with an attack.
Australian bulk deals website, Catch of the Day, suffered a security breach in 2011, with passwords and other user information stolen from the company's databases. It took until 2014 to notify customers, suggesting there was no response plan in place.
The backlash was very severe for global retail giant, Target, which fell victim to the second largest credit card heist in history. Many customers were outraged about the retailer's inability to provide information after the breach, and its failure to assure customers that the issue was resolved.
Consequences included settlement payouts of up to $10 million and the resignations of its CIO and CEO.
Organisations should have established and tested incident management plans to respond to data security breaches sooner rather than later. A solid response plan and adherence to these steps can spare much unnecessary business and associated reputational harm.
Here's a five step plan to ensure you give your organisation the best chance of minimising financial and reputational damage.
Step 1: Don't panic, assemble a task force
Clear thinking and swift action is required to mitigate the damage. There is no time for blame-shifting. You need a clear, pre-determined response protocol in place to help people focus in what can be a high pressure situation and your incident management plan should follow this protocol.
Having the right team on the job is critical. Bear these factors in mind when assembling your team: Appoint one leader who will have overall responsibility for responding to the breach. Obvious choices are your CIO or chief risk officer. This leader should have a direct reporting line into top level management so decisions can be made quickly.
Include representatives from all relevant areas, including IT, to trace and deal with any technical flaws that led to the breach; and corporate affairs, in case liaison with authorities is required, to manage media and customer communications.
Don't forget privacy (you do have a chief privacy officer, don't you?) and legal, to deal with regulators and advise on potential exposure to liability).
If you anticipate that litigation could result from the breach, then it may be appropriate for the detailed internal investigation of the breach to be managed by the legal team. If your organisation doesn't have these capabilities, seek assistance from third parties at an early stage.
Step 2: Containment
The taskforce should first identify the cause of the breach and ensure that it is contained.
Steps may include:
Installing patches to resolve viruses and technology flaws. The 'Heartbleed' security bug identified in April 2014 at one time compromised 17 percent of internet servers.