Data breaches require considerable time and resources to resolve, and the damage can be extensive, from financial costs and operational downtime to untold reputational harm. With such wide-ranging consequences, it pays to be prepared. Despite this, only 19% of firms in our study strongly agreed* that they were prepared to respond to a data breach caused by their remote workforce, for example.
Underestimating the risks
Most businesses don’t fully understand the consequences of a data breach and the speed with which they will need to respond. Even businesses that believe they are well prepared are likely to have blind spots. Businesses underestimate the difficulty of recovering from a breach; the complexity of notifying customers, managing communication channels, notifying regulators, consulting lawyers and rapidly executing a raft of essential decisions to mitigate risks and minimise business impact.
Faced with the threat of cybercrime, businesses tend to focus on prevention – investing in IT systems and software to minimise the risk of an attack. But few go a step further and prepare for the response required should a breach occur. Cyber-attacks can happen at any time to any business of any size. Attacks and data losses can take many forms, from ransomware attacks to direct data theft. No business is 100% protected, no matter how much they invest in cybersecurity.
Why prepare for a data breach?
Preparing for a data breach means you are ready to respond immediately. By working through the potential scenarios in advance, you will have fewer surprises. Your teams and specialist partners will understand their roles and responsibilities.
Your business will have a greater appreciation of the decisions that need to be made quickly. Many of these – and the thinking behind them – can be done in advance. That will take a lot of pressure off when you’re in a stressful post-breach situation. Reducing the number of decisions you need to make in the throes of a breach saving valuable time and resources. You will know who to consult – from legal and insurance teams to crisis PR and response specialists – and how to report to regulators.
You can prepare essential customer or employee communications in advance too. You can plan what to say to different types of customers or employees, in different situations, and get your communication templates ready.
Preparation involves having contact centre resources on standby to be deployed when needed. Communicating accurately and comprehensively with anyone impacted by the breach is one of the critical elements and avoids drip-feeding of information that may cause anxiety and erode trust.
You need to be prepared to handle inbound queries from customers or employees too. If you are unable to respond promptly and confidently to queries this can create bigger challenges and further damage your reputation. Having the right resources in place, including people with the right skills, knowledge and language capabilities, is therefore essential.
Why aren’t more businesses prepared?
The simple answer is that businesses face so many competing priorities, particularly in the Covid-19 era, it can be difficult to find the time and resources to dedicate to data breach response planning.
Businesses are also wary of the costs. However, in reality, most companies could build a basic recovery plan for little or no cost using a tool such as the free Experian readiness hub. This provides guidance and templates to help businesses create a simple response plan. With a little more investment, businesses can access in-depth consultancy advice. And for relatively low cost, Experian can create a comprehensive data breach response readiness programme, including guaranteed reserved response resources, ready to go live immediately in the event of a breach.
Find out how Experian can help your business prepare in the event of a data breachFind out more
What practical steps can businesses take now?
The first step is to examine the data you hold on customers and employees. Under GDPR, the minimum you must do is notify data subjects if they are deemed to be at high risk of identity theft, as well as notifying the regulator.
Next, think about how you would communicate with anyone affected by a data breach. How easy would it be to inform everyone concerned? Think about the different ways you need to communicate with different types of people. What contact details do you hold and what communication channels should you use? Do you have the resources in place to implement this type of mass communication?
Then think about how you would respond to different types of attack. Your response strategy for a ransomware attack will be quite different to your response to data lost through laptop theft, for example. Do you need to categorise risk based on different levels of data loss?
Here the scenarios become more complex. The more thoroughly you examine these scenarios and plan your response, the better your deployment strategies will be for different eventualities.
Preparation brings peace of mind
Having these conversations with specialists in advance, outside the heat of a crisis situation, is extremely reassuring for businesses. Working with the right legal, IT forensics, crisis communications and consumer-response specialists will ensure you cover your blind spots, prepare thoroughly for any breach, and have the right resources in place to react effectively if the worst happens.
You can find out more about data response planning on our website, connect with me on LinkedIn or firstname.lastname@example.org to speak to one of our data breach specialists to explore how best to prepare.
* Experian’s Eighth Annual Study on Data Breach Preparedness, Ponemon Institute, June 2021. Is your Company Ready for a Big Data Breach?