Here's everything you should include in your data breach response plan
By Stergios Saltas, MD, Striata South Africa.
Even with all the defences in the world at its disposal, no organisation can guarantee that it won't fall victim to a data breach. With new threats emerging all the time, it's simply not possible to say you are 100% safe. It's therefore imperative that your organisation has a solid data breach response plan.
Not only does a well-practised and executed response plan minimise the fallout from a breach in terms of your organisation's reputation, it also drastically reduces the eventual cost of the breach. According to data from IBM and the Ponemon Institute the average cost of a breach in South Africa was R32.36 million. The average per capita cost was R1 632. The longer it takes to deal with a breach, the more that cost goes up.
But what should a data breach response plan include? Who should know about it? And how can you ensure that you're ready to implement it when the time comes?
Build a solid response team
Before you even begin putting a plan together, you should ensure you have a solid response team in place. You simply cannot wait for an incident to happen before deciding who should be involved in dealing with it.
The team should be drawn from departments across the organisation, including customer care, executive leaders, IT, and HR.
This team should also include external partners (if you don't have them internally) such as legal counsel, communications, forensics, and your technology providers.
Everyone in this team should be aware of what responsibilities they have when it comes to responding to a data breach.
And the planning doesn't stop with the selection of the team. Simulating different event scenarios will assist the team to work together to execute the planned response. Practice makes perfect!
While there may be some technical work that needs to be done in the event of a breach, the real emphasis should be on communication.
Internally, everyone within the organisation should have an accurate idea of what caused the breach and what steps are being taken to minimise the damage and secure customer records. While employees may not talk to the press, they will talk among themselves as well as to friends and family. If they have a clear idea of what's going on, they can help create a sense of calm and avert unnecessary panic.
It's also important that organisations include communication with regulators and legal authorities in their breach response plans. There are a couple of important reasons for this. First, it is increasingly a legal requirement -- thanks to legislation such as GDPR and POPIA -- that organisations inform authorities of breaches. Secondly, having a good relationship with regulators and legal authorities means that they can guide the organization and its impacted customers on whether they need to take any additional steps to those already being undertaken.
Perhaps the most important part of the response plan, however, is customer communication. Security breaches that compromise customer data almost always negatively affect customer confidence. In order to regain that confidence, it's vital that organisations get information out as quickly as possible -- either as reassurance or as notification that their personal information has been breached, and what they should do about it.
No matter who it's addressed to, this communication should be calm, informative, and factual.
Sweat the details
In order to ensure effective communications in the wake of a breach, it's important to ensure that the small details are taken care of.
As well as mapping out processes, organisations should prepare drafts of any communications that need to go out. These include:
* Holding statements for a variety of incident types
* Public Q&A document to address customers, investors and media
* Letter to customers from company leadership
* Internal employee fact sheets
With these templates and up-to-date recipient lists in place, an organisation should be able to dispatch the requisite information by email and SMS in a matter of minutes if becoming aware of the breach.
Test the plan. Then do it again
Ultimately, an organisation's data breach response plan should allow it to go into 'safe' mode in the event of a breach. This, in turn, should allow it to run system checks to identify the breach, alert a task team and communicate to affected parties, service teams, the information regulator, and media accordingly.
In order for this to happen, it's vital that the plan is repeatedly tested and refined. This not only stops people getting complacent, it helps keep the plan fresh in the face of new threats and employee turnover.
With the right plan in place and the ability to execute it, an organisation can not only contain the damage caused by a data breach, it can emerge from the incident stronger and more resilient.