Cyber-attacks have become a fact of business life and being unprepared is no excuse. Sarah Hewitt of Arthur J. Gallagher offers advice on what an effective breach response plan should look like.
Last month, Tesco Bank suffered a cyber-attack which affected 9,000 customers and cost the company an estimated £2.5 million, proving that even the largest companies aren't safe from security breaches. This isn't an isolated event, however: 90% of large and 75% of small businesses experienced a security breach in 2015*, with many smaller occurrences never making the press.
Cyber-attacks may be a fact of business life, but damage can be limited by having an effective breach response plan in place.
Cyber-attacks can have serious repercussions for the reputation of your business. For example, Tesco Bank's YouGov BrandIndex score, a tool for measuring the public's perception of the brand, saw a stark plummet in the wake of the breach dropping 13.6 points to -12.8 and placing it bottom of 31 high street banks. The faster a business responds to a breach, the more likely they are to preserve their reputation and revenue.
It isn't just cyber-attacks that threaten data security, however. Lost or stolen devices, clerical errors and hacked networks all count as cyber breaches.
The aim of a breach plan is to reduce the impact of the cyber-attack on the business and to lessen the time it takes to seal the breach and restore operation – protecting short-term revenue. Your plan should also meet regulatory and legislative requirements, including plans to notify the Information Commissioner's Office (ICO) and the individuals affected. Most importantly, there is also a moral duty to protect the individuals whose data has been breached.
Despite Britain's decision to leave the EU, we still need to consider the impact of the EU General Data Protection Regulation, due to come into force in May 2018. This legislation requires us to harmonise how EU members' data is handled and failure to comply will result in significant fines.
Firstly you need to understand your exposure – the more you understand the data and assets which need protecting and the risks involved with these, the easier breaches will be to prevent. This should be done using a formal risk assessment process.
Once you have identified the risks it will be easier to create your plan. An incident response strategy is vital for detecting breaches and taking action. You should nominate a response team containing IT, Legal, Operational, PR, HR and Risk Management personnel, emergency contact numbers and pre-approved forms and processes.
You should make sure that your plan includes the following operational procedures:
The plan must also contain all the processes, techniques, checklists and templates that the response team need to carry it out. You should appoint an incident lead to co-ordinate the overall response.
Once a plan is in place, it is important to test the plan regularly. You should do this at least once a year and revise it in line with any significant changes to the business such as technology and location updates.
While businesses cannot predict when, where or how a cyber security breach will happen, they can take proactive measures to manage the breach when it occurs. Preparation is key, as these preventative measures will help minimise the impact to your business and help preserve your brand's credibility.
Sarah Hewitt, director in insurance brokers at Arthur J. Gallagher's Major Risks Practice and Nick Bellamy, a Senior INT Specialist with Chubb Risk Engineering Services, recently hosted a seminar discussing the importance of a breach response plan. To listen to the full webinar, click here.