Evaluate the potential scenarios
One point to consider, it’s important to understand that a data breach does not have to be of epic proportions. In the media, the narrative often relates to cyber-attacks creating images of hackers, the dark web and access to business systems. But, a breach can be as simple as what we call, a ‘paper event’. For example, a line of address might be shared incorrectly, a credit card statement delivered to the wrong person, or a business transferring from paper to online. If paper files are not disposed of securely, identifiable, personal information could be easy to get hold of or shared. Understanding where personal information is stored, how it is managed and typically looking beyond what is considered the norm, such as a cyber event.
Get your people involved in limiting the risk
Of course, businesses need watertight security. We emphasise the importance of the three Ps: clear policies, processes and procedures, but the culture within an organisation is also key. If your employees are more aware of the risks, the responsibility to limit exposure of a data breach is shared. It doesn’t just fall at the feet of the IT department. Understanding where the weak points are, for example, vetting individual employees – either new to the company, or old-timers can also be included in your data breach readiness and response plans.
Below are some important components to consider when getting ready and creating your response plan:
- Align to expectations: Customer notification: 34%* of data breach response plans do not include customer notification*. We know how you treat your customers in the aftermath of an incident is of vital importance to the future relationship with that customer or employee.
- Know legal requirements: Legal considerations: 43%* of businesses say they do not have any legal cover for data breaches*. Legal counsel is key to ensure the right steps are taken to remain within the law. This is even more significant now GDPR has come into play.
- Protect your business: Crisis management: Only 52%* of businesses have a data breach crisis or communications plan in place*. The communications team has the challenge of communicating what has happened. So planning and creating key communications in advance as well as mapping out key people and approval processes means there is potential to elevate the pressure and get messages out to customers sooner .
- Assess your risk: Forensics: 84%* of businesses do not have forensic analysis included in their response plans*
Without these experts, you won’t know how at risk you are – or, most importantly – your customers are.
“If your business really is set on putting customers at the heart of a data breach response, getting into the detail of what a response really entails is now a critical component of any business’ DNA and preparation.” It’s all about damage limitation. If businesses have watertight data breach plans in place, there is the potential to support customers and manage the situation with confidence.”
Find out more about how Experian help organisations put readiness plans in place so they can know, prepare, and recover with confidence in the event of a data breach.
*All statistics have been taken from Experian’s research. Read more in our whitepaper: Readiness vs The Reality
Are you starting your plan here is a great document to help you understand what your next steps are: Data Breach Response Guide
About Experian research
Experian commissioned research consultancy ComRes to shed new light on this constantly evolving topic, backed up by new statistics. ComRes is a member of the British Polling Council. On behalf of Experian, ComRes conducted an online survey of IT business decision-makers at small, medium and large businesses in Great Britain (Online) in January 2017, across a variety of sectors (including manufacturing, arts and recreation, business and finance). Respondents were either: involved in the decision-making of their company’s data breach management, or were aware of data breach management if they were not directly involved. All respondents work for businesses that hold personally identifiable information (PII) data for 100 or more customers or employees. The 200 professionals questioned were from the following sized companies: 50 from small businesses (1-49); 50 from medium-small businesses (50-100); 50 from medium-large businesses (101-250); and 50 from large businesses (250 or more). It is important to note that when comparing figures from the business survey this year with 2016 findings, only SMEs were questioned last year, and not large businesses. At the same time, ComRes also surveyed 2,001 British adults to obtain a wide and varied comparison of what business decision-makers think in contrast to the public – or, in other words, their (potential) customers.