Preparing for the Inevitable: A Guide to Handling a Data Breach

Cyber-attacks and data breaches are now so widespread that it isn’t a matter of ‘if’ but ‘when’ your organization gets hit. According to the UK Government’s latest Cyber Security Breaches Survey, nearly seven in ten large businesses identified a breach or attack in the past year. When taking into consideration all sizes of businesses in the UK, nearly half had suffered a breach or attack.

The likelihood of a cyber-breach occurring is that predictable that cyber risk and cyber insurance organizations can now forecast a potential breach with greater that 90% accuracy. With major cyber-attacks making headlines on an almost daily basis, it’s safe to say that you’re going to be hit at some point. Many organizations have found out the hard way how damaging a mismanaged cyber-attack or data breach can be. The loss of customers, drop in share price, damage to brand reputation and financial penalties are just a few of the things a breached company can look forward to. TalkTalk revealed that the fallout from the cyber-attack it suffered in October 2015 cost the company £60m and 101,000 lost customers.

However, preparing for the inevitable will make the situation significantly less damaging and for those organizations that get it right, they can come out of an attack with their heads held high.

Forewarned is forearmed

Cyber-security should be treated like any other business risk. In the same way you would prepare for a natural disaster or the theft of goods, you should prepare for a cyber-attack, especially as the latter is likely to be more costly. Having a cyber-breach action plan is paramount. This should include specific procedures to follow and key actions that should be addressed.

  • The first responders

The first step on the cyber-breach action plan is to mobilize the first responders; a senior team of board level executives, including heads of communications, IT, legal, sales and customer facing support. This team will lead the response to the attack and your first response should always be to inform the authorities. In the UK, this will be the Information Commissioner’s Office. If you’ve been contacted by criminals behind the attack you should not engage with them in anyway. This is especially true if you’ve been hit with ransomware; do not respond or provide payment of any kind.

  • Internal communication to staff and shareholders

With the initial response handled, communication to employees can begin. Clear communication should start with internal staff, who need to be told who they should direct questions to if, for example, media request any information. At the same time, all remaining board members should be informed and then the shareholders. The sooner the communications happen, the quicker concerns will be dissipated amongst staff, preventing a potential drop in moral. Different levels of staff will require different communications, and a different frequency of communication. The key to successful communications is to create a schedule and carry out the communications in line with this. Even if there is no news to communicate then let this be known. While it may appear inconsequential to delay communication until there is news, for those waiting, it is reassuring to know that they haven’t been forgotten and keeps employees on your side.

  • External communication to those affected

Following internal communications, all individuals and/or organizations that have been affected by the attack should then be informed. Communication to those affected is paramount to mitigating reputational damage and distrust amongst customers. The worst backlash around most high-profile breaches centers on the organizations who have sat on the information for too long and not informed their customers. For example, Uber is currently facing global condemnation for a data breach it concealed for the past year, which affected 57 million customers around the world.

  • Media communication

Communication to the media should be the next step on your cyber-breach action plan. Ensure you have all the facts and have decided upon what is going to be said and what should not be said before engaging with the press. Ensure this information is consistent and there are no conflicting statements. Contradictory information can lead to increased negative press exposure. To avoid mismanagement of the communications flow and avoid conflicting information being communicated from your organization, a single spokesperson will need to be allocated so that all information is coming from one source.

It is important to maintain the communication flow, even well after the initial incident. This positions your organization as proactive and presents a positive picture that can alleviate damage to brand reputation. In the current climate, organizations face increasing scrutiny over their cyber security practices.

How well could your organization handle the next attack?

Contact the Clearswift team for a discussion and find out how we can enhance your existing IT infrastructure with advanced threat protection and data loss prevention technology.

Additional information

Schedule a Ransomware Prevention briefing or demo

Prevent advanced Malware and Ransomware attacks from striking

Clearswift Advanced Threat Protection Overview

Clearswift Security+: Augmenting existing security infrastructure