If you’re reading this blog, you probably are interested, if not outright concerned, about protecting your information from being lost or hijacked. Most likely you have a BDR (Backup & Disaster Recovery) plan in place, and you may even have put tools and policies in place to guard your data from hackers and other malefactors.
Unfortunately, no data protection plan is 100% foolproof. Mike Donovan, global leader of the technology, media, and business team for insurer Beazley Group, writes that too few companies have considered, let alone put into place, best practices for handling a data breach incident:
Data breaches are, unfortunately, a part of doing business. No matter how well you’re protected they will happen. It isn’t “if”; it’s “when.” And a final lesson to be learned: A data breach doesn’t have to be a disaster—but mishandling it is.
So how do you prepare for this worst-case scenario (besides prepare ahead of time and not panic)? Here are three tips to get you thinking:
Tip 1: Do not shut down your network.
Your first instinct may be to shut down your network. But this could destroy valuable, volatile data, and the loss could hamper the investigation. In some cases, taking the affected servers or computers offline might be reasonable. But, if possible, this determination should be made after consultation with the incident responders and with consideration for the impact on business operations.
As scary as it sounds, you want the ability to step back and figure out what led to the breach, so that you can take measures to prevent that vulnerability in the future. And your incident response team, whether in-house or contracted, should have the expertise to manage the problem without putting a full stop to your business.
Tip 2: Determine the potential impact the compromised data will have on your business.
If you haven’t done so already with your BDR plan, you need to conduct a risk assessment and prioritize the importance of your data. Medical professionals, for example, should know the ramifications a group of stolen EHRs (Electronic Health Records) will have on the practice.
By having this information spelled out for you and your incident response team, you can anticipate potential legal, regulatory, and security consequences—and get the relevant people proactively working on the problems that may result from the breach.
Tip 3: Inform customers of the breach ASAP.
It boggles my mind how so many companies will try to hide a data breach from their customers. It may take you some time to figure out the nature and repercussions of your data breach, but you will lose more customers if you equivocate on its impact rather than being frank. By giving customers the facts of the breach, you enable them to cancel their credit cards or do whatever else they can do on their end to limit the damage.
Do you have other tips on responding to data breaches? Let us know in the comments!
Photo credit: Constanza via Flickr.