How to understand the true implications of a data breach for your organisation
The path to enlightenment
If a business or organisation suffers a cyber-attack resulting in the loss of Personal Identifiable Information (PII) then they will have to notify the people impacted if they are deemed to be at high risk of identity theft. The first time most organisations think about what this truly entails is after they have suffered a data breach.
Working out what to tell customers, what channels to use, how to handle queries and how to allocate sufficient resources to manage the response is complex – made even more difficult in the heat of a post-breach situation when speed is critical and your reputation is at stake.
It is so much better to do all of this thinking, planning and preparation in advance. So many organisations come to us in a crisis situation when they need to react fast to minimise the damage of a data breach – without knowing where to start. That’s why we advocate a pre-breach consultation, which enables organisations to go through a logical process to determine what a data breach recovery would look like for them, and how it could be managed and resourced. Every organisation is different, which means that every response plan needs to be customised.
Visualise your notification campaign
The first step is to consider how many customers you might need to inform following a data breach, and how you will contact them. The preference for many businesses is to contact customers by email, in which case you need to ensure you have email addresses for every customer. If you don’t, you will need a postal address or phone number. Think about how long it will take to contact all of your customers. Your desire may be to contact everyone within 24 hours of a breach, but if you have a million customers that simply will not be possible. Three to five days is more realistic. If you know this in advance, you can set expectations and prepare appropriately.
Prepare your messages
Next you need to think about what you will tell customers. To some extent, this will need to be adapted following a breach, to reflect the specific nature of the incident. However, many key messages can be agreed in advance, and these will need to be signed off within your organisation – particularly by legal teams.
What entity or brand will you use? Do you have multiple brands across international borders, for example. Do you need different messages for different cohort groups, such as employees, customers, pension holders and others? If you can pre-approve messages and templates for all groups in advance, it will save so much time following a data breach.
Get your resources ready
Having determined how you will contact customers and what you will say, you need to think about the resources required to deliver this communication campaign. Do you have the skills and resources to handle this in-house, or will you need external support? Do you need to train people in advance, so they are ready to respond quickly in the event of a crisis?
What about the resources you will need to handle queries from affected customers? If you are informing thousands of people about a data breach, how will you handle potentially hundreds of incoming calls? What will you say to people? If your customer base is international, do you need agents who can answer queries in different languages? Ideally, you need to have scripts prepared in advance to ensure you give consistent messages to those affected. Failing to respond to incoming queries could be hugely damaging to your organisation. Having informed customers that their data has been compromised, you will compound people’s anxiety and uncertainty if you are unable to answer their queries promptly.
What is your attitude to risk?
Having understood the implications and the response requirements, you then need to think about your risk appetite. How much do you want to invest in preparing in advance, and how much are you willing to leave to chance? If you need external call centre resources to manage your response, are you happy for these to be provided on a ‘best endeavours’ basis? That means your crisis response provider will do everything possible to provide the resources you need, but without providing any guarantees.
Response resources are finite, and if there is another breach on the scale of the MOVEit exploitation, those resources could be in short supply. An alternative is to pay a retainer for a “reserved response” service, which guarantees that the resources you need will be available in the event of a data breach.
Implications for your whole organisation
There are lots of balances to strike in planning and preparing for a crisis response. One thing that quickly becomes clear is that this is a business issue, not just an IT issue. The impact of a data breach affects the entire organisation and all its customers or service users. Clearly, suffering a cyber-attack is extremely disruptive to business operations, requiring significant work to get IT systems back up and running. But in addition, managing your customer response and helping to minimise financial and reputational damage is just as complex and fraught with challenges. There’s a lot at stake, so it’s important to get it right.
Throughout our consultancy work, we aim to serve up a dose of reality and enlightenment. We help organisations to assess what they will need to do in practice, how long it will realistically take and what they can do to prepare for an efficient and professional response. The outcome is a well-considered “consumer response plan” that can be signed off by the board and which enables everyone in the business to understand their role in the event of a data breach. How to ensure this plan is resilient and can be enacted in practice will be the subject of my next blog.
How can we help?
If you’re concerned about the impact of a data breach on your organisation, please get in touch with our crisis and data breach response specialists via email to book your consultation or call 0844 4815 888 to talk about the Reserved Response options and consultancy available to you. Alternatively, please visit our website for more information.
Further reading
As threats to data security grow, how can organisations mitigate the risks?
No matter how secure your cyber defences, there are many ways that fraudsters can exfiltrate your data. Is your business ready to respond?
Data controllers: protecting reputations in the event of a data breach
This blog focuses on data controllers. These are the custodians of the data belonging to their customers, service users, staff and other consumers.
Ransomware – Consumer response plans
How can data processors optimise resources and minimise costs? Fears about the threat posed by ransomware have proved well founded. Read more.
Why consumers need to be central to crisis response plans
The impacts of a cyber-attack, health emergency or data breach can be devastating for the business. But the greatest impacts are often felt by consumers.
Breaking down barriers when forming a crisis response plan
With the working environment changing faster than ever, adapting to a digitally led economy also brings increased data breach risks. Find out more.
Making fraud analytics and machine learning accessible for all
Take advantage of the latest advancements in ML-powered fraud solutions to significantly cut down on the time and cost required for deployment.
Businesses at risk: Survey exposes gaps in UK businesses’ crisis readiness plans
Around half of UK business leaders surveyed in recent research said their organisations didn't have crisis response plans in place. Read more
Experian report insight: AI and ML are an investment focus for 100% of UK businesses
Our research found that the majority of consumers are now aware of Artificial Intelligence (AI) and Machine Learning (ML). Find out more.
Machine Learning in fraud prevention: why it’s time for a level playing field
Why should organisations of all sizes introduce Machine Learning into fraud detection? We explore the solutions.
Application Fraud: Detect and deter fraud at the point of application
We take a look at how application fraud is changing and why organisations need to take action, without impacting customer experience.