The risk of a data breach is now greater than ever for organizations that contain important information assets like customer data, intellectual property, trade secrets, and sensitive corporate data. A data breach refers to any unauthorized access, collection, use, disclosure, copying, or modification of personal data. Data breaches can occur for various reasons, but it is important for organizations to put in place necessary measures and take preventive actions to prepare for data breaches. We asked 5 cyber security experts their opinions on how to deal with data breaches and whether there’s a right and wrong way to deal with them when they occur. Continue reading to explore their insights.
Helen Rabe (CISO at BBC)
The way organizations need to handle a data breach depends on the nature of the incident. Not all are avoidable, some are too sophisticated and despite the controls in place, the attacker will always get through if they are determined. In some instances, yes, poor practice on some of the most basic of controls can allow an attacker to compromise and breach your systems. There is no one size fits all to preventing or managing breaches.
As for right and wrong ways to deal with them, subjectively I believe that your incident plan is core to the success of handling any incident. You need to run annual practices to test the effectiveness of the plan and ensure all parties including the likes of internal communications and legal are included.
If the incident warrants a communication release to the public, then follow the core principles of responsible disclosure. It’s best to handle incident communication with authenticity and transparent communication. If it is a notable breach that affects customers and you don’t responsibly disclose, be aware that if this finds its way to the public domain, it can have an impact on your reputation and credibility.
Colin Hardy (Malware Specialist)
One would have to say that data breaches are unavoidable, and in fact almost inevitable – either as a direct result of something that happens in your organization or from some action in another organization you do business with that holds your data. SolarWinds is a prime example of this, where many thousands of organizations around the globe became the victim of a system compromised by a nation-state threat actor simply by applying a software update; actions which are actually considered security best practice!
I think there are so many different ways to handle a data breach, and naturally, each response scenario will depend on the factors that apply in each case. Questions such as when to go public with a breach notification or whether to pay a ransom demand to get systems up and running again and how best to keep your customers up to date during the incident are certainly very common in incident response and corporate communication teams.
There is definitely a wrong way to handle a data breach in my view; not being open with your customers, not investigating an issue to the best of your capability and not investing in a security-maturity program to prevent a repeat would certainly amount to questionable behavior.
On the flip side, there’s no real right way of handling a breach either. But above all else, communication is key – ensuring those impacted by a breach are informed and the organization shows the steps they’ve taken to improve will go a long way to help the business recover.
Sjaak Schouteren (Cyber Practice Leader at Marsh Netherlands)
Of course, there is a lot to be done to avoid data breaches. You can take technical and organizational measurements to mitigate the risk. But 100% security does not exist. So, it is important that you know how to act when something does occur. We have an online cyber self-assessment tool based on NIST and from the data we see still a lot of companies are improving on ‘Identity’, ‘Protect’, and ‘Detect’. Unfortunately, a lot still lack behind on ‘Respond’ and ‘Recover’.
If you follow the news, you often see this happening in what I cynically call the life cycle of a data breach:
- “There was a small breach, we found out at an early stage and nothing material was stolen or breached.”
- “We found that the criminals were in our systems a bit longer than we thought and they might have their hand on more data than expected.”
- “Actually, the criminals were in our systems for more than 100 days, have taken a lot of sensitive data of our clients and we should have been aware of this a few months ago.”
In most companies, they do fire drills, and they know who to follow when something happens. This is unfortunately still not the case with cyber incidents like data breaches.
Schneider Bettina (Research Professor at University of Applied Sciences and Arts Northwestern Switzerland FHNW)
In my opinion, many data breaches could be avoided if the data protection principles – namely privacy by design and data minimization – were implemented consistently and from the very beginning. Another important pillar for avoiding data breaches is the training and awareness of employees and related stakeholders, e.g., suppliers.
However, mistakes are simply part of life, so there will always be a certain number of incidents. When a data breach has occurred, one of the first measures should be to clarify data privacy. This includes, for example, assessing the situation, reporting the breach, taking immediate countermeasures, and, of course, communicating transparently to the individuals/customers/suppliers affected by the incident.
Fred Streefland (CEO at Secior)
My answer to “Whether there is a right and wrong way to deal with data breaches” would be NO and YES. Strange answer, but that’s how I see this. In today’s digitalized world, everybody and everything is vulnerable and can be breached. However, it doesn’t have to happen.
As an organization, you don’t have to accept this vulnerability and you can do everything to prevent this from happening by implementing the Zero Trust approach. I won’t explain Zero Trust in this interview, but in short; a Zero Trust approach needs commitment from the Board and must be implemented by a Board-supported CISO with a full mandate and therefore hardly any budget constraints. Zero Trust is a journey and might take some years to increase the cybersecurity of an organization, but it’s the only way – in my opinion – to prevent data breaches.
Unfortunately, most organizations won’t be able to avoid data breaches. Therefore, a good incident response plan/policy and the testing of this plan are essential pre-requisites for a security professional that is responsible for the security of an organization.
Make your workforce cyber-ready
Employee training and development is a highly efficient way to expand their skillsets. Furthermore, cyber security training allows employees to know what to do if they encounter a cyber-attack and how to report security concerns. Check out the Cyber Security Specialist program with Federal Diploma. This program is developed to provide you with an in-depth understanding of how to protect digital systems and data from cyber-attacks and thus, alleviate damage to sensitive corporate assets. Download the program brochure or contact us for more information.