Data controllers: protecting reputations in the event of a data breach
How can data controllers protect their customers’ reputation as well as their own?
In this blog in our series on post-breach responses to ransomware attacks, I’d like to focus on data controllers. These are the custodians of the data belonging to their customers, service users, staff and other consumers.
Data controllers have a direct relationship with these end users, and have control over how data is used and processed. In the event of data theft resulting from a ransomware attack, it is usually the data controllers whose reputation is at stake.
It’s essential that they act fast and decisively to protect consumers, minimise financial losses and preserve their reputation.
Growing threats to data custodians
At Experian, our crisis and data breach response team has worked with many data controllers over the past year in the face of an explosion in ransomware incidents worldwide. Many data controllers are well-known brands and trusted organisations with thousands or even millions of customers or service users. Managing a crisis-response and communications campaign for such a huge number of people is a major undertaking.
Not only do customers need to be informed, but data controllers also need to provide support services and query handling mechanisms to guide customers through the resolution process. Specialist crisis-response organisations, like Experian, can provide valuable expertise, advice and resources – such as consumer notification and call centre support – to guide organisations through the post-breach response process. But the sheer scale of ransomware threats today, and their continuing expansion, means that global crisis-response resources are being stretched to the limit.
Why are ransomware attacks increasing?
There is no sign of a let-up in the volume and frequency of ransomware attacks. And while companies spend millions on cyber defences, access via phishing attacks or through the company supply chain continues to give criminals the opportunity to deploy ransomware. No matter how robust an organisation’s cybersecurity defences, if an employee inadvertently opens a link in a phishing email they can let a fraudster straight in.
Ransomware is a lucrative model. We have seen ransomware firms grow and prosper as ransoms continue to be paid and there is a constant flow of new customers for them to engage with. In fact, malware programs are widely available on the black market, making it easy for criminals to access the tools they need to commit data theft and hold organisations to ransom. In addition, artificial intelligence (AI) has the potential to write new strains of advanced malware in seconds. That means criminals no longer need specialist IT skills or experience to access and deploy malicious data theft tools.
The wealth of opportunities for cybercriminals is so great that ransomware firms have even begun outsourcing some of their work to freelance fraudsters. All of which means the risks from ransomware worldwide are growing. Research we conducted in December 2021 found that 82% of large organisations and 71% of medium-sized businesses had already experienced a ransomware attack.
Data breaches demand rapid response
When a data controller is hit by a ransomware attack, they know about it very quickly. That’s because criminals want the organisation to know. The criminal will inform the organisation that they have copied everything in its hard drive or network and will begin to release information if the victim does not pay a ransom by a given deadline. That means data controllers are already on the back foot as soon as they learn about the incident.
As I’ve explained, preventing ransomware attacks is difficult. That’s why data controllers need to focus on how they will respond if they become a victim. Speed is of the essence to minimise the financial and reputational damage caused, and maintain the trust of your customers. Responding to an attack means communicating rapidly with all of those affected, and providing the contact centre resources necessary to handle queries and guide customers through the crisis.
If you suddenly need a 200-agent call centre to look after your affected customers, those resources are unlikely to be readily available unless you have prepared them in advance. You also need to develop communications templates, draft your messages and allocate roles and responsibilities, so people and resources are ready to respond if your systems are attacked.
Global crisis-response resources under strain
At Experian, the biggest change we have noticed in the past year is that the scale of ransomware attacks has stretched global crisis-response capabilities to their limits. With ransomware threats growing, those limited resources may not be able to deal with the scale of responses required in future. Given the circumstances, it may be wise for data controllers to pre-book the resources they might need in the year ahead, to ensure they can respond effectively and efficiently to any major incident.
To address this issue, Experian has a range of crisis-response services, including our reserved response service. This enables organisations to reserve in advance the resources they would need – such as contact centre agents – to respond to a ransomware attack. Data controllers choosing the service will be guided through a consultancy process to plan detailed responses to different scenarios and allocate the necessary resources to respond appropriately in a crisis.
I’ll be focusing on pre-breach preparation and planning in my next series of blogs.
How can we help?
If you are a data controller and want to learn more about responding effectively to ransomware attacks and protecting your reputation, please visit our website or contact the Experian Crisis & Data Breach Response team on 0844 4815 888 or via email.
Further reading
Ransomware response for education providers and charities
Ransomware attacks have been sweeping the globe. Find out how to manage post-breach situations in the education and charity sectors.
Ransomware – Consumer response plans
How can data processors optimise resources and minimise costs? Fears about the threat posed by ransomware have proved well founded. Read more.
Fraud Index Report
How has fraud changed over the past year? Read the latest fraud statistics and trends in Experian's Fraud Index Report for Q4 2023.
3 types of bank account data errors and how to reduce them
In this blog, we look at the root causes of bank account errors and outline how you can take the first steps towards minimising them. Read more.
Why consumers need to be central to crisis response plans
The impacts of a cyber-attack, health emergency or data breach can be devastating for the business. But the greatest impacts are often felt by consumers.
Machine learning for fraud detection: using technology to find more fraud
Adopting machine-learning can help organisations embed a smooth customer journey, whilst flagging potential fraud. Find out more.
Transforming financial crime prevention
In this paper, we share our insights around enabling Financial Crime automation to help strategically monitor commercial portfolios.
Breaking free from remediation
Download this paper in which Experian and PwC discuss a three-step process to help banks and financial services pivot towards automated KYC.
Streamline regulatory compliance with accurate, convenient age verification
Many online businesses need to carry out age verification checks, but the UK government has brought new legislation into force. Find out more.
5 challenges employers face when looking for new employees and how to address them
How to Conduct Background Checks on New Employees | 5 Challenges Employers Face When Looking For New Employees & How to Address Them