The average total organizational cost of a data breach in the United States in 2015 was $6.8 million. In 2016 alone, over 3,000 publicly disclosed data breaches have occurred so far, representing more than 2.2 billion compromised records. In addition to the upfront expenses, the damage to an organization’s reputation and goodwill can be immense and long-lasting, potentially presenting an existential risk to its future. In the notable case of the data breach at Ashley Madison, hackers exposed spousal infidelity that prompted a $567 million class action lawsuit, demonstrating the potentially devastating impacts of a malicious intrusion.
In the absence of a plan, the immediate hours after a breach is detected are often marked by confusion and panic. The time to craft a response is not when a company first realizes its security has been compromised; by that time, it may already be too late to adequately react. By developing a “living will” in advance that maps out the procedures and steps to take, and stands ready to implement in the event of a breach, the chances of mounting an effective response effort can be substantially improved.
Designate First Responders and Take Preventative Action
The first step to creating a data breach living will is to set a clear path forward by designating an internal team of first responders with clearly delineated roles and responsibilities. These individuals will be responsible for drafting and maintaining the living will and, in the event of a breach, implementing it. When and if a breach occurs, this team will spring into action to assess the gravity of the breach, gather the financial and logistical resources necessary to respond, and act as a central point of communication and coordination between executive management and boots-on-the-ground responders.
The best type of data breach is the one that never happens, so the next step is to roll out preventative policies and measures to reduce the likelihood that a breach will occur. Employee access to critical and sensitive enterprise data should be restricted to only those who need it. Strong passwords should be mandatory, and encryption and firewalls should be implemented wherever practical. By investing time and resources into protective measures, such as data security and anti-malware software, and by training employees on secure information practices, the risk of a breach can be significantly reduced, and the chances of quickly detecting a breach improved.
Plug the Hole
In the unfortunate event that a breach occurs...
Author: Frank Fazzio, Records Analyst at Zasio Enterprises, Inc.