5 data breach tips for businesses.
Perhaps one of your employees found a USB in the carpark and plugged it into a work computer, resulting in the deployment of some malware (i.e. malicious software). Maybe a manager handed over their credentials to cyber attackers when they were prompted via an email to click on a realistic looking login page for a familiar service provider. Maybe one of your staff sent sensitive information to the wrong person (or maybe to a long list of the wrong people if they forgot to use BCC). However it happens, businesses are responsible for protecting the personal information of their employees and customers.
In the first 12 months after the introduction of the Notifiable Data Breaches scheme in February 2018, the Office of the Australian Information Commissioner received 964 notifications from businesses who had suffered data breaches. 60% of these data breaches were a result of malicious or criminal cyber attacks. Interestingly, 35% were due to human error.
Is your business required to comply with the NDB scheme? Most small businesses (those that have an annual turnover of $3 million or less) are not, but it’s worth using this checklist to be sure of your obligations.
Given that cyber attacks are becoming more sophisticated and prevalent, businesses need to anticipate risk, establishing their defences and have a plan for what to do when defences are breached. How prepared is your business for a data breach incident? Here are 5 tips to help your business prepare for the inevitable.
1. Train your employees
Every member of staff has a responsibility to help protect the business from cyber attack and data breaches. But without thoughtful training and support, busy employees can easily feel this is someone else’s job. Consider using an external advisor when conducting a risk assessment, to ensure that training is targeted. This may help to identify risks to your business such as the receptionist allowing entry to an unknown person or an employee responding unawares to a phishing email.
Data breaches occur mainly because of cyber attack; malicious actors may abuse trust and extort information in person, over the phone, or via email. All employees should be trained on how to detect threats and how to report suspected privacy breaches. Creating a culture of awareness and transparency amongst staff will also help to unite them in their fight against external threats. In the event of a breach occurring, the response time for the organisation is critical, so the last thing you want is for a staff member to hide their error due to embarresment, fear of criticism, or worse.
Keep in mind that any contractors you employ also need to be included in trainings.
2. Invest in preventative technologies and processes
What are your business’s known security risks? Engaging an expert security advisor can help you identify the weakest links in protecting your data.
Consider the potential data loss in everyday communications, and implement multi-factor authentication, encryption and secure data transfer technologies to minimise risk. Implement advanced Data Loss Prevention technologies to identify and block any breach of specific data types. Establish protocols for the monitoring of systems so that any breaches are detected in a timely manner.
In the event that the potential damage caused by data breach is an unacceptable risk to the organisation, consider engaging a Managed Services Provider to secure, monitor and patch your IT infrastructure and end-user devices on a pro-active basis.
Review your data holdings and minimise unnecessary information. Have processes in place to destroy or de-identify personal information which you no longer need to keep.
Anticipating the event of a data breach and preparing as fully as you can will help ensure that you are meeting your obligations under the NDB scheme. Businesses with a Data Breach Response Plan are best placed to identify and manage data breaches. Recent statistics shared by IBM suggest that on average, companies take 197 days to identify, and 69 days to contain a breach.
Do you have a plan which gives practical guidance for how to respond and who in your company is responsible for taking action? Your plan should contain practical guidance on how to reduce the harm of a data breach while adhering to your obligations under the NDB scheme. Consider also how to address multi-party and supplier breaches in your response plan.
Review and update your Business Continuity Plan, and as part of this process, consider the state of your Disaster Recovery Plan. This will ensure that in the event that the worst were to eventuate, the business and its people have an accurate and actionable strategy on how to manage a critical breach that involves data loss.
Staging planned “cyber incident game days” as part of developing and testing your risk minimisation strategy can help can ensure preparedness.
4. In the event of a data breach, assess whether it is notifiable
Should a data breach occur, assess the potential for serious harm to those affected by the breach. If the risk is judged to be minimal, avoid reporting as it can lead to a case of “crying wolf”: if regular minor breaches occur and are constantly reported, when a serious incident occurs there may be inertia rather than action from the affected individuals.
Consider the particulars of the breach and use your deep understanding of your data holdings to assess the potential impact on those affected.
5. Post-breach communication
Acting swiftly to communicate directly with customers who have been affected by a data breach will help protect your brand and your relationships. Don’t be tempted to try and cover up a data breach. If your business is covered by the Privacy Act, failing to abide by the Australian Privacy Principles can mean heavy fines, if the breach is considered serious and your response negligent.
Provide clear guidance and opportunity for your customers to recover from a data breach. Don’t say that the breach was minimal but then give them a long list of recommendations for how they should act: this sends a mixed message which will increase their worry and distrust. Provide information on microsites, set up support lines and allow customers to ask questions and find out how to protect themselves. Don’t send out a message on a Friday afternoon if it leaves them unable to take timely action. Be transparent and provide clear and simple information and advice in the wake of a data breach.
Now that you’re more aware of the steps that you can take to prepare, detect and respond to a data breach, do you wish to speak with a trusted advisor that can assist with defining a plan for your business and improving your defences? If so, reach out to Cloud Armour today on 1300 887 811 or firstname.lastname@example.org.