Companies across the U.K. keep getting hit with cyber-attacks that result in personal data breaches. Last month it was T-Mobile, this month it’s British Airways, next month it could very well be *insert your company’s name here*.
With attacks happening on an almost daily basis, it’s important your business is aware that: A) an attack is not only possible, it’s probable; and B) when it happens, you need to have a solid plan in place to deal with the breach itself, and the reputational/customer service crisis that will inevitably follow it.
Seeing as 2018 brought the GDPR into effect, it should be a given that by now your business has – at the very minimum – a standard IT security plan in place.
Well, key to the GDPR is a little thing known as ‘data protection by design'. What this means is that the GDPR requires firms to have in-built technical and organisational data protection processes across every level of the business.
A firm cannot confidently say they comply with the data protection by design component of the GDPR if they do not have a rigorous IT security mechanism in place that protects their infrastructure, manages employee privileges and deters internal and external cyber-security threats.
If your business cannot confidently tick the below checklist (put together by the ICO) then it’s time you speak to an IT Managed Services partner that has experience in security and data management – that’s us, FYI.
The above image is taken from ico.org.uk
It’s important to note that even if your business does have an IT security programme in place and can confidently tick off the ICO’s data protection by design checklist, there’s still a possibility that your business will experience a breach. Unfortunately, as with most security issues, there is no such thing as 'safety guaranteed'.
If you do have all of the above in place and your business still experiences a breach, here are the critical next steps you should follow.
Understand what’s happened and if you need to inform the ICO
Knowing what constitutes a reportable data breach and what information the ICO requires your business to submit once a data breach is lodged, will help you build a disaster assessment plan. According to the ICO’s website, a personal data breach is classified as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
When lodging a data breach with the ICO, your business will need to provide:
"1. A description of the nature of the personal data breach including, where possible:
- The categories and approximate number of individuals concerned; and
- The categories and approximate number of personal data records concerned;
2. the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
3. a description of the likely consequences of the personal data breach; and
4. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects. “
Once you have all the above information ready to submit to the ICO, you need to start working on executing the measures taken to deal with the data breach. A key part of this is to understand if the attack your business has experienced goes beyond personal data. For example, was any other data compromised, such as business plans, sensitive commercial information or strategy documents?
If the answer to the above is yes, then you need to make sure your business has informed investors and other interested parties so that future corporate risks can be adequately assessed and counteracted.
Investigate & Audit
Essential to the recovery process is to conduct an extensive IT security audit and engage the services of an IT security specialist that can independently assess what went wrong and what your business can do in the future to prevent such an attack.
Learning from your attack is critical to preventing another one from happening. Most attackers use a few common tricks to hurt businesses, understanding where your vulnerability lies will ensure you don't fall for the same tricks ever again.
Cyber-attacks and personal data breaches go beyond causing internal breakdowns, reviews and disaster recovery plans, they also cause a huge reputational crisis for firms.
How your customers and the public at large assess your company’s management of a personal data breach can sometimes be as important, if not more important, than the way you actually handle the attack internally.
The public eye is harsh and the PR crisis that follows a data breach can often be more devastating to your business’s viability than the attack itself.
The first thing to do once you’ve internally assessed a data breach is to be open and honest with your customers about what has taken place. Be warned, nothing will enrage your customers more and cause as big a social media backlash as them finding out about a data breach from the news rather than from you.
Your external communications strategy – just as your internal communications strategy – should be an integral part of your recovery plan. You should ideally have two sets of external communications going out to customers: the first is directed at those that have been confirmed to be at risk or affected, the second to those that while not directly affected, are still trusted customers that deserve to know what’s going on and what you’re doing to resolve the situation.
Key to your communications strategy should be consistency of messaging. Have one point of contact for all external inquiries related to the attack. The quickest way to find yourself in a media quagmire is to have conflicting stories and advice going out to customers.
Share your plan
Once you've let the public and your customers know about the breach, make sure you keep them abreast of any and all developments. Show your customers what you're doing to make things right. This also includes offering them advice as to what they can do personally to mitigate risk.
Taking your customers on the recovery journey and letting them know that you're thinking of them at every step of the way will help rebuild the trust the breach will have inevitably broken.
Be open to conversation
Customers will be upset. They have every right to be. Customers trust businesses with some of their most sensitive information and when that information gets breached, customers need to have someone to talk their frustration out with. Be that person for them. Open up a customer service line dedicated exclusively to answering questions/taking complaints about the breach. Customers need to know that you're listening and taking their feedback on board.
Don’t ignore it and share your learnings
Once the dust has settled, continue to keep your customers in the loop. Just because the BBC isn’t on your case for a statement doesn’t mean the individuals who had their personal data compromised aren't still thinking about the attack.
Once you’ve concluded your investigation, gone through your disaster recovery plan and implemented the necessary security changes, provide your customers with a status report.
Explain to them what happened, accept responsibility for dropping the ball (if the attack was due to something you could have easily prevented) and explain to them the steps you've taken and the learnings your business has extracted from this event so that something like this never happens again.
Of course, prevention is the best cure, and having a specialist IT security team continually evaluating the threat landscape on behalf of your business is one of the best ways to keep your business from suffering an attack.
When an attack does happen – and it really is a matter of when not if – you need to make sure your business has an actionable plan in place that is ready to be deployed the moment disaster strikes.
Words by Camilo Lascano Tribin
For more on how Advantage can help you with the GDPR, click here.
Like what you read? Then stay in touch, subscribe to our mailing list and start receiving the latest tech and industry insight, leading opinion pieces, tips and tricks, webinars, white papers, case studies and event invites straight to your inbox.