How to respond to a data breach
In the UK the average cost of a data breach has grown to over £2.5 million and the reputational harm a breach does to a business can be even worse.
A data breach is a security incident in which information is accessed without authorisation. In the last few years millions of personal details have been stolen. Organisations targeted and breached include; British Airways, Yahoo, Facebook, Dixons Carphone, Marriot Hotels, eBay, Equifax and Travelex.
Information involved in a data breach usually consists of:
- Sensitive business data: Information that could impact the reputation or profitability.
- Financial information: Customer bank details, debit or credit card information.
- Personally Identifiable Information (PII): Examples include full name, National Insurance number, bank account number or email address.
- Protected Health Information (PHI): Medical information that identifies an individual.
How to respond to a breach:
- Determine the scale of the breach: What data and how many records were compromised.
- How was the data exposed: Trace the path of the attacker, did they move from one system to another? Police cybercrime units can offer expert advice – ask for support.
- Document everything: Who, what, when and why is needed for external agencies but, committing pen to paper will also identify the next logical steps and support a response to future incidents by identifying the appropriate corrective actions.
- Isolate compromised systems: Once isolated, attempt to sanitise them. If an application vulnerability is being exploited, take the application offline. If a malicious insider has leaked information, cut off their access to the organisation’s network.
- Instigate business continuity plan. Determine what critical processes must take place and the data these processes need. Have work-arounds been planned out in advance?
- Never underestimate how long an attacker has been entrenched in your systems and what damage may be done.
- Never log into an infected machine with administrative credentials or plug in your backup.
Communication
- Breaches need to be reported to the Information Commissioner’s Office (ICO) and to individuals if they pose a ‘high risk’. Risk refers to the possibility of affected individuals facing economic or social damage, such as discrimination, reputational damage or financial losses.
- You must notify the ICO within 72 hours and affected individuals without ‘undue delay’.
- If a crime has been committed, contact Action Fraud.
- If your organisation is affected by industry regulations, other 3rd parties might need informing, seek legal advice if in doubt.
- Determine ways for affected individuals, third parties and the media to make contact.
Security is a major concern for all businesses and creating a secure IT environment should be at the top of any business agenda. For more information about how TiG Data Intelligence can help your business take a look at the Guardian page or contact us.