Airmic
Log in Join now

Data security: Forewarned is forearmed

Published on Sun, 07/10/2012 - 23:00

Suffering a data breach is now almost inevitable, whatever the size of organisation or industry sector. A detailed plan to prepare for an incident and deal with its aftermath helps organizations protect their customers and their corporate reputation, according to Privacy and Insight, a Zurich publication.

The dual challenges of keeping sensitive information secure and abiding by personal data privacy regulation is an increasingly uphill struggle for companies in the face of an unprecedented rise in both unintended breaches and malicious cyber attacks.

The number of reported incidents is growing at an alarming rate and so are the accompanying costs to business. With so much data being gathered, stored and shared around the world – and in the cloud – it pays to be prepared for information security and privacy.

Technology that protects, such as firewalls and intruder detection, has reached almost as far as it can so data protection has progressed to focusing on creating a corporate culture of security, especially around access.

However, experts predict we are now beyond this stage and must assume we cannot always prevent breaches so should focus on ways to track down whatever has already got in to protect compromised data from misuse. The Online Trust Alliance (OTA), is an independent organisation that develops best practices and policies to tackle online privacy and security threats, describes 2012 as the “year of the breach”, adding that “all businesses have to assume they will experience a data loss incident”*. *Online Trust Alliance, 2012 Data Protection & Breach Readiness Guide.

Scale of potential cyber exposure

One of the main challenges in preparing for a breach is the scale of potential cyber exposure. Where risk managers benefit most is receiving expert support to understand their organization’s key vulnerabilities. Scenario-based risk assessments and risk profiling, for example, enable them to identify weak spots so they can reduce exposure and ensure prebreach planning puts them in a stronger position to respond when an incident occurs.

The OTA recommends creating an incident response plan that can be deployed quickly if an incident occurs and encourages a self-audit of preparedness (see panel on ‘Dealing with a breach’). Privacy-based best practice guidelines issued by the Organization for Economic Cooperation and Development (OECD) are based on key principles to ensure data is:

  • Collected lawfully with the knowledge or consent of the data subject.
  • Relevant to the purpose for which it is to be used, accurate and up-to-date.
  • Only used for the specific purpose.
  • Not disclosed for other purposes unless consent is given.
  • Protected by reasonable security, safeguarded against loss, unauthorized. access, destruction, use, modification or disclosure.

Before: Pre-breach preparation

Pre-breach planning helps reduces the likelihood of an event occurring and helps you be prepared if it does. It is important to start with an incident response plan that covers:

  • Team members: Who should respond? Do you have a 24/7 incident response team in place?
  • System monitoring: How will you know when you’ve been breached?
  • Data collection activities: Do you complete a review and audit of data collection activities, including third-party and cloud service providers?
  • Data storage: Where is sensitive information held, stored and is it secure?
  • Audited data flows: Do you have audited data flows across your company and vendors, including a privacy and security review?
  • Employee training: Are employees adequately trained and prepared to notify cases of data loss or attacks?
  • Regulatory authorities: Are you aware of the regulatory requirements?
  • Vendors: Do you have access to specialist service providers, such as public relations and risk engineering?
  • Communication: Your organizations’ readiness to communicate to customers, partners and stockholders once an incident has occurred.

It is important to update your incident response plan regularly and keep up to date with the latest developments in security techniques and trends in cyber attacks.

Source: Online Trust Alliance, 2012 Data Protection & Breach Readiness Guide

During: Dealing with a breach

When a breach occurs, it is important to act as quickly as possible to help minimize any damage and/or loss. This includes:

  • Forensic examination: How many records have been affected?
  • Internal notification: Who needs to be informed within the organization and who can help?
  • Containment: Confining the damage.
  • Victim notification: Many jurisdictions require organizations to notify victims within a specific time frame.
  • Call Centre: Establish a central call center where victims can find out information pertaining to the breach.
  • Credit/Identity monitoring and Fraud Remediation services: Evaluate the relevancy of monitoring and remediation services based on the circumstances of the breach.
  • Public Relations: How do you restore your reputation in the market place?
  • Legal defence: How will you defend yourself in court with regulators?

After: Post breach damage limitation

Good customer service is essential when trust has been compromised following a breach and organizations could lose valuable business. Customer churn is one of the biggest problems, so extra attention should be focused here to limit the damage. This can include:

  • Notifying affected customers and all relevant parties with accuracy, efficiency and timeliness, if required.
  • Ensuring there is a public relations team ready to handle the potential fallout and to protect your reputation.
  • Establishing what costs are covered by the insurance policy and that a budget is available to cover any additional spending.
  • Ensuring all relevant regulatory authorities are notified and kept up to date with open and transparent communication, if applicable.
  • Setting out the terms of a postincident investigation so lessons are learnt from the experience to prevent it happening again.

All businesses have to assume they will experience a data loss incident

One of the main challenges in preparing for a breach is the scale of potential cyber exposure