Even in the aftermath of the high-profile data breaches at Target, Neiman Marcus, and Michaels earlier this year, many businesses are not yet responding to the wakeup call that these massive breaches have sounded. Data breaches are unexpected, unplanned, and often, occur too quickly for a company to prevent, but the existence an effective strategy and formal data breach plan will prepare a company for the day when such a breach may very well threaten the organizations ability to survive the experience. Being overconfident that such an incident isn’t going to happen is simply foolish.
“There are more organizations this year with pre-breach response plans in place,” says Michael Bruemmer, vice president of Experian Data Breach Resolution. “But at the same time, there are many retailers, manufacturers and small businesses that are lagging behind.” Among the reasons why some organizations don’t have even the basics of a plan in place, Bruemmer says, is because they lack the resources or aren’t aware of regulatory requirements for risk assessments and breach notification.
Throughout the world, companies are finding that data breaches have become very common and far more expensive to survive than expected. With the exception of Germany, companies are spending more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars, The research also reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. The report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover in the aftermath of a data breach
Security experts say the basic components of an effective breach response strategy include:
- Creating a competent response team.
- Devising a well-documented strategy that covers discovery, forensics, response, and notification and reporting.
- Implementing effective training; and testing and auditing the plan to continuously improve it.
Also, the plan must be regularly updated as that the business continues to grow in size and complexity, Factors like; new business partners, data sources, technologies and more business units can complicate the data infrastructure adding new requirements to an effective incident response plan.
Another essential component to building a better breach response strategy is involving senior management and the board of directors. After all, mishandling a breach can affect a company’s financial viability. The need for C-level involvement is evident following the Target breach, when the messaging showed a slow recognition by Target’s top management of the messaging and media outlets that must be used to successfully communicate in the wake of an event. While Target eventually used social media and improved its talking points, the delay in getting to that point signaled a lack of preparedness at the top leadership in the Company.
Every business should plan for the unexpected, including a data breach that can hurt the brand, customer confidence, reputation and, ultimately, the business. It is important to develop an incident response plan to help detect an attack before it happens and have procedures in place to minimize or contain the damage. Learning from the experience of others who have made the headlines in the past, is far more desirable than becoming the next headline.