Six-step plan for dealing with a cyber security breach

Published on Tue, 29/11/2016 - 10:53

Cyber-attacks have become a fact of business life and being unprepared is no excuse. Sarah Hewitt of Arthur J. Gallagher offers advice on what an effective breach response plan should look like.

Last month, Tesco Bank suffered a cyber-attack which affected 9,000 customers and cost the company an estimated £2.5 million, proving  that even the largest companies aren't safe from security breaches. This isn't an isolated event, however: 90% of large and 75% of small businesses experienced a security breach in 2015*, with many smaller occurrences never making the press.

Cyber-attacks may be a fact of business life, but damage can be limited by having an effective breach response plan in place. 

Save your reputation

Cyber-attacks can have serious repercussions for the reputation of your business. For example, Tesco Bank's YouGov BrandIndex score, a tool for measuring the public's perception of the brand, saw a stark plummet in the wake of the breach dropping 13.6 points to -12.8 and placing it bottom of 31 high street banks. The faster a business responds to a breach, the more likely they are to preserve their reputation and revenue.

It isn't just cyber-attacks that threaten data security, however. Lost or stolen devices, clerical errors and hacked networks all count as cyber breaches. 

The aim of a breach plan is to reduce the impact of the cyber-attack on the business and to lessen the time it takes to seal the breach and restore operation – protecting short-term revenue. Your plan should also meet regulatory and legislative requirements, including plans to notify the Information Commissioner's Office (ICO) and the individuals affected. Most importantly, there is also a moral duty to protect the individuals whose data has been breached.  

Despite Britain's decision to leave the EU, we still need to consider the impact of the EU General Data Protection Regulation, due to come into force in May 2018. This legislation requires us to harmonise how EU members' data is handled and failure to comply will result in significant fines. 

What a plan should include, and why

Firstly you need to understand your exposure – the more you understand the data and assets which need protecting and the risks involved with these, the easier breaches will be to prevent. This should be done using a formal risk assessment process. 

Once you have identified the risks it will be easier to create your plan. An incident response strategy is vital for detecting breaches and taking action. You should nominate a response team containing IT, Legal, Operational, PR, HR and Risk Management personnel, emergency contact numbers and pre-approved forms and processes. 

You should make sure that your plan includes the following operational procedures:

  1. Identify breach - the first step is to identify how the breach has occurred, whether this is an online attack such as phishing or data leakage caused by a lost laptop.
  2. Investigation and containment - whether internal or external, it is important to identify how to restore security in light of the breach.
  3. Impact assessment - once the breach is resolved, you will need to assess the risks caused by it both for individuals and the business.
  4. Recovery - next, you need to repair the data and systems so that the business can continue to operate.
  5. Notification and communication - finally, you should have a communication strategy in place including templates, a prompt press statement which accepts responsibility and is apologetic. You should also prepare an FAQ site to guide staff with a notification process for affected individuals and the appropriate regulatory bodies (FCA, ICO, PCI etc).
  6. Evaluation and improvement - Following the breach you should evaluate your response to the event, identify lessons learnt and improve your security response plan to be prepared for the future.

The plan must also contain all the processes, techniques, checklists and templates that the response team need to carry it out. You should appoint an incident lead to co-ordinate the overall response.

Once a plan is in place, it is important to test the plan regularly.  You should do this at least once a year and revise it in line with any significant changes to the business such as technology and location updates.

While businesses cannot predict when, where or how a cyber security breach will happen, they can take proactive measures to manage the breach when it occurs. Preparation is key, as these preventative measures will help minimise the impact to your business and help preserve your brand's credibility.

Sarah Hewitt - Arthur J. Gallagher

Sarah Hewitt, director in insurance brokers at Arthur J. Gallagher's Major Risks Practice and Nick Bellamy, a Senior INT Specialist with Chubb Risk Engineering Services, recently hosted a seminar discussing the importance of a breach response plan. To listen to the full webinar, click here.