Why it’s essential to put your consumer response plan to the test
Building long-term resilience
The risks to all types of organisations from cyber-attacks – particularly ransomware – have increased significantly in recent years. In our own research, 100% of business leaders felt they were at risk of a crisis in the next 18 months, and the recent MOVE-it vulnerability proves that those fears were well-founded. If customer data is compromised in an attack, you need to act fast to notify those affected and mitigate the financial, operational and reputational impacts.
Understanding the implications of a data breach and its impact on your organisation is an important first step in developing a robust response and recovery plan. This means thinking about how you will notify customers, what you will tell them and how you will resource call centres to manage your response. No organisation is safe from the impacts of a cyber-attack, which means having a well-considered consumer response plan is essential for business continuity and resilience.
How resilient is your consumer response plan?
At Experian, we work closely with risk and resilience teams in large organisations, as well as with operations directors and others responsible for resilience in smaller organisations. Often, we are brought in by legal or insurers to work with resilience teams to build robust data breach response plans. But resilience is about more than simply having a response plan in place. Responses need to be practised and plans need to be stress-tested frequently to ensure they remain up-to-date and relevant to your organisation as it grows or changes.
Your teams need not only to understand the plan, but be prepared to enact it rapidly should the worst happen. At least once a year, you should run through a simulated data breach scenario to give everyone an opportunity to put the plan into action. It’s a valuable opportunity to assess your readiness and identify any gaps, so you can modify and constantly update the plan.
You should also review your response plan if there are any significant changes to your organisation, such as an acquisition, winning a major new client or entering a new market. Reassessing the implications of a data breach and updating your response plan are vital in strengthening your resilience to cyber-attacks.
Take the pressure off your post-breach recovery
Managing risk and building resilience is all about doing your critical thinking and decision-making in advance. Pre-planning and scenario testing takes the pressure off the post-breach situation, meaning you are simply triggering an agreed and well-rehearsed response process, rather than trying to make critical decisions in the heat of a crisis.
The more you can prepare in advance, the better chance you have of minimising the harm of a data breach. That means developing the messages you would need to communicate to affected parties following a breach, and preparing communications templates for different cohort groups so that everything is ready to deploy when needed.
Plan your resources to minimise risks
You should also think about the resources you will need to respond effectively, including the call centre agents required to handle incoming queries. Most organisations will not have sufficient resources in-house to manage the scale of response required in the event of a data breach. If you need to outsource these resources, your response plan needs to set out how you will access and stand up enough call centre agents at short notice following a crisis.
It is possible to reserve the call centre resources you will need in advance, by paying for a guaranteed reserved response service. This will ensure sufficient trained call centre agents are available when needed in an emergency. But as in all risk planning, there are balances to strike when determining your call centre requirements.
For example, do you want to allocate 500 agents over three days to answer the flood of inbound calls. Or do you assign 80 agents to handle queries over a four-week period. The difference is in the quality of response provided. Having a smaller number of agents over a longer period enables you to provide a better quality of response, since the agents will get to know the scripts and become familiar with your response procedures. If you choose to have a large number of agents for a short time, each call is likely to last longer because agents aren’t so familiar with the scripts. But the sheer number of agents will mean you can handle more calls in a shorter period. It comes down to a choice between speed and quality.
Support for crisis response planning and delivery
At Experian, our crisis and data breach response team has worked with many risk and resilience managers in recent years, helping their organisations develop robust response plans in the face of growing cybersecurity threats. The first task in any organisation is often to raise awareness among decision-makers of the real implications of a data breach. We then help risk managers develop plans that they can take to the board for approval, ensuring they are realistic and appropriate to the needs of the organisation.
We offer different levels of service to suit each organisation. These range from free guides and resources to help organisations prepare for a data breach, through to in-depth consultancy services to develop customised response plans and scenario testing, supported by guaranteed reserve response resources.
How can we help?
If you’re concerned about the impact of a data breach on your organisation, please get in touch with our crisis and data breach response specialists via email to book your consultation or call 0844 4815 888 to talk about the Reserved Response options and consultancy available to you. Alternatively, please visit our website for more information.
Further reading
How to understand the true implications of a data breach for your organisation
Communicating with customers, handling queries and allocating sufficient resources. Why is it better to be proactive rather than reactive to a data breach?
As threats to data security grow, how can organisations mitigate the risks?
No matter how secure your cyber defences, there are many ways that fraudsters can exfiltrate your data. Is your business ready to respond?
Data controllers: protecting reputations in the event of a data breach
This blog focuses on data controllers. These are the custodians of the data belonging to their customers, service users, staff and other consumers.
Ransomware response for education providers and charities
Ransomware attacks have been sweeping the globe. Find out how to manage post-breach situations in the education and charity sectors.
Ransomware – Consumer response plans
How can data processors optimise resources and minimise costs? Fears about the threat posed by ransomware have proved well founded. Read more.
Practical tips to adopt APP fraud reimbursement requirements
We address the challenges around the new APP fraud regulation and discussed practical tips for organisations to navigate through the changes.
2023 UK Identity and Fraud Report
Our report explores the concerns, preferences and needs of today's digital consumers and their online experiences. Download now.
UK Consumer Online Security Report
Our survey revealed that a significant number of consumers have experienced fraud or identity theft in the past year. Read more.
Application fraud ROI calculator
Calculate your ROI instantly with our application fraud calculator.
Machine Learning in fraud prevention: why it’s time for a level playing field
Why should organisations of all sizes introduce Machine Learning into fraud detection? We explore the solutions.