Cybercrime costs are expected to rise to $2 trillion by 2018, according to Juniper Research, in large part because the increase in cyber threats is resulting in a surge in data breaches, exposing millions of individuals and their sensitive information.
Outsourcing of breach response components
Data breaches are inevitable and organizations in all industries will continue to be at risk. Most are not prepared and the costs to manage data breach response are high. However, according to a new breach response best practices survey from ID Experts, the majority of respondents want to do the right thing by their customers when it comes to breach response. In fact, 90 percent of respondents rated identity protection services as important and well over half cited a thoughtfully written notification letter as a top component.
A data breach can be a time of high stress, tight deadlines, and competing priorities. An organization’s immediate response can have long-term consequences for its business, reputation, and customers. Leading industry experts share their six best practices and insights on preparing for and responding to a data breach, to deliver positive outcomes for all involved:
1. Identify risk and prioritize risk mitigation strategies
“An organization should continually work at raising its level of awareness and preparedness,” says Ted Augustinos, a partner at the international law firm Locke Lord. “If breach risk mitigation has yet to be considered, management should organize a thoughtful discussion involving senior internal decision-makers and experienced outside legal and technical resources about assessing risk and prioritizing risk mitigation activities.
He adds, “As these projects are not ‘set it and forget it,’ even the organizations most advanced in this area are continually looking for ways to improve administrative and technical safeguards by reassessing potential risks and threats, updating their data security procedures and technologies, revisiting the availability and adequacy of insurance coverage, revitalizing employee training programs, and practicing their incident response plans.”
2. Reduce breach risk with an incident response plan
“Preparation is the best defense for handling a breach event,” says Dave Molitano, senior vice president at OneBeacon Technology Insurance. “This means organizations must have an updated and tested incident response plan that’s documented and communicated to those accountable for managing a response. In addition, the proper resources should be identified and readily available. And when a breach does strike, follow the plan and listen to those who are there to assist you.”
3. Protect information assets with smart security
At the recent Privacy + Security Forum in Washington, D.C., Rick Kam, president and co-founder of ID Experts, and Sean Hoar, a partner in the Portland, Oregon office of law firm Davis Wright Tremaine, identified best practices for mitigating risk. Among these were security strategies for protecting an organization’s data and systems, such as factoring security into decision-making at every department and level of the organization.
In addition, organizations should avoid collecting non-essential data, keep only the information for which there is a legitimate business need, and only use it when required. It is also important to implement the critical security controls appropriate for the enterprise. These controls are provided by the Center for Internet Security (CIS):
- Develop and maintain an inventory of all hardware and software.
- Use the most current versions of applications and operating systems.
- To the extent possible, automate security patching and continuously monitor for vulnerabilities.
- Segment your network, enable intrusion detection and prevention systems, and ensure all system logging is enabled.
- Secure data with strong encryption when possible.
- Control access to data on a need-to-know basis.
- Require complex passwords and use multi-factor authentication.
- Eliminate unnecessary data and processes.
- Conduct vulnerability testing and risk assessments.
- Conduct due diligence on all third-party service providers and require appropriate information security standards to be written into contracts.
- Provide employee training on network security awareness.
- Develop and test your incident response plan, which should involve key stakeholders and business units across the enterprise.
Perceived value of services for a healthcare data breach
4. Get the right cyber insurance
“Based on the cost of most breaches, very few organizations are able to handle 100 percent of the costs of a data breach on their own,” says Kimberly Holmes, senior vice president and cyber liability counsel at ID Experts. “It could be characterized as penny-wise and pound-foolish not to have some form of standalone cyber insurance in place in addition to other investments by the organization in IT security measures.”
5. Look beyond breach notification
“After a breach hits, the response should not be limited to breach notification but should also focus on containment, corrective action, and preparing for the regulatory investigation and potential litigation to follow,” says Adam Greene, a partner in Davis Wright Tremaine’s Washington, D.C. office. “Too often, organizations are focused on the immediate response. They need to consider future consequences of the breach, such as what might happen in a court of law.”
6. Put your customer first
“It’s never pleasant for affected individuals who have reason to worry about, or actually experience, identity theft,” says Augustinos. “An organization that provides timely and precise information about the compromise, and offers services to assist affected individuals in resolving their personal issues, usually finds that the organization’s reputation, enforcement profile, and litigation exposure are affected less severely by breaches than organizations that respond in ways that are inadequate or late, or both.”