Creating a Data Breach Preparedness Plan
With data breaches making headlines every other day, it is important now more than ever to add a Data Breach Preparedness Plan to your Business Continuity Program.
According to Research Reports done by Ponemon Institute on Data Breach Preparedness, they found that while a few companies are making valuable changes many companies are deficient in governance and security practices. Effective preparedness includes: keeping the data breach response plan up-to-date, conducting risk assessments of areas vulnerable to a breach, continuous monitoring of information systems to detect unusual and anomalous traffic and investing in technologies that enable timely detections of a security breach.
In addition to helping a company prepare for a breach, the existence of a plan can reduce the overall cost of an incident. The 2014 Cost of Data Breach Study: United States reported that the average cost for each lost or stolen record was $201. However, if a company has a formal incident response plan in place prior to the incident, the average cost of a data breach was reduced as much as $17 per record.
So where do you begin your Data Breach Preparedness Plan?
Begin by assigning a knowledgeable person to lead a data breach response team. This person could be your CISO-Chief Information Security Officer, CO-Compliance Officer, Head of Business Continuity Management, Chief Information Officer, Chief Risk Officer, Head of PR and Communications, General Counsel, Chief Privacy Officer or Human Resources. Whomever you place in charge make sure they have the knowledge and or resources available to incorporate the most effective Data Breach Preparedness Plan and response team.
The members of an effective incident response team require the skills of a variety of functions such as IT security, legal and public relations and privacy. When responding to a data breach, companies are most likely to engage those functions critical to minimizing the damage created by an incident.
Data breach or cyber insurance policies are becoming an integral part of a company’s preparedness plans. In 2013, only 10 percent of respondents said their company purchased a cyber insurance policy. In 2014, the percentage more than doubled to 26 percent. Businesses are beginning to realize the value of cyber insurance due to the increased awareness of cyber attacks across multiple industries affecting companies of all sizes.
Technical security considerations
Managing the risks created by end-users and mobile devices are important to IT security’s data breach preparedness. IT security should review the following areas to reduce barriers and improve data breach detection and responsiveness:
- Increase visibility into end-user access of sensitive and confidential information
- Reduce the risk created by the proliferation of mobile devices and cloud services
- Address third party access to or management of data
- Gain expertise
- Invest in technologies specific to your business
- Incorporate C-suite support (a corporation’s most important senior executives)
Technologies available to quickly detect a data breach
- Intrusion prevention systems
- Mobile Device Management (MDM)
- Security Incident & Event Management
- Analysis of netflow or packet captures
Risk Assessments & Monitoring
Risk assessments and continuous monitoring of information systems for unusual or anomalous traffic are needed. First, you need to perform risk or impact assessments to determine areas vulnerable to a data breach. These steps are critical in determining the security gaps that exist within the company’s systems in order to minimize the risk of a data breach. Next, for timely detection of data breaches, companies should be monitoring their systems for unusual or anomalous traffic. Depending on the results of your risk assessment, the frequency of future tests may need to be continuous, daily, weekly, or monthly.
How could your data breach response plan become more effective?
- Conduct more fire drills to practice data breach response
- Include greater participation and oversight from senior executives
- Incorporate a budget dedicated to data breach preparedness
- Include in the response team, individuals with a high level of expertise in security
- Include in the planning, individuals with a high level of expertise in compliance with privacy, data protection laws and regulations
Retention of Customers after a data breach
Leading approaches to keep customers and maintain reputation
- Free identity theft protection and credit monitoring services
- Designated call center to provide information and respond to customer concerns
- Gift cards
- Discounts on products or services
- A sincere and personal apology (not a generic notification)
Data Breach response planning is critical to a company’s data protection and security strategy.
Research has shown that a comprehensive plan that is in place in advance of a data breach can reduce overall costs and keep the trust of customers and business partners.
The following recapitulates the recommendations given:
- The incident response plans should undergo frequent reviews and reflect the current security risks facing the company.
- Risk assessments should be conducted to ensure the appropriate technologies are in place to prevent and detect a data breach.
- The board of directors, CEO and chairman should play an active role in helping their company prepare for and respond to a data breach. These include briefings on the security posture of the company and a review of the incident response plan.
- Employees should receive training on the importance of safeguarding sensitive data—especially customer information. Call center employees should become skilled at answering customers’ questions about the privacy and security practices of the company as well as explaining what the company is doing in the aftermath of a data breach.
- Accountability and responsibility for data breach response should be clearly defined and not dispersed throughout the company. Cross-functional teams that include the expertise necessary to respond to a data breach should be part of the incident response planning process.