Data breaches: prevention and planning
The threat of data breaches affects all kinds of business, both large and small. So, how do you make sure you are prepared and have planned for the worst?
It may be easy to slip into thinking “Oh, it might never happen..” but you’ll kick yourself if it does. The fallout could be devastating and might have been avoidable.
The benefits of taking positive steps to recognise the risks, putting measures in place to prevent breaches occurring and adopting policies and plans which are ready to swing into action as soon as a data incident or breach occurs really can’t be underestimated.
Latest stats on data breaches are concerning
We regularly hear in the news of yet another company suffering a data breach. Let’s look at the scale of the problem.
- Up to 88% of UK companies have suffered data breaches in last 12 months! Many EU countries have had similar experiences. (Source: Carbon Black highlighted by CSO Online)
- 37% of UK companies reported a data breach incident to the ICO in the past 12 months.
- 48% of UK organisations have been hit by ransomware in the last year, according to Sophos. Almost three quarters of these ransomware attacks (74%) resulted in the data being encrypted.
According to the UK Government’s report into cybersecurity breaches:
- Only 31% of UK organizations have carried out a cyber risk assessment in the last 12 months.
- Only 57% of large companies have cybersecurity incident response processes in place.
Performing under pressure
The stakes are high. With the clock ticking to meet notification timelines, it’s vital your business’ response is both rapid and effective.
Organisations are increasingly judged not by whether they are compromised, but how well they detect and respond to data incidents. Handling an incident badly could irrevocably harm a business’ reputation.
Being well prepared will help you to keep your brand’s reputation intact and reduce the chances of regulatory action.
Preparation is vital to prevent costly mistakes. So, what can we do to make sure we’re well prepared?
Know your main data breach risks
Carry out a threat assessment to understand where your key data risks lie. External threats like phishing and ransomware continue to be of great concern.
But interestingly, the ICO’s Data Security Incident Trends report (Q2 2020/21) shows that nearly three-quarters of reported breaches were classed as ‘non-cyber’ security incidents. For example:
- Data emailed or posted to incorrect recipient
- Verbal disclosure of personal data
- Loss/theft of paperwork or data left in insecure location
- Failure to redact personal information.
Many of these breaches might perhaps have been prevented by better training of employees, adopting good practices (which should be routine) and, quite simply, people taking greater care when handling personal data.
Seek Executive support
Take the time to make sure your Executive team are fully engaged in information security. This is time well spent and can significantly increase the success of your data breach response plans.
Your Executive team can support you to drive awareness and training, helping to ensure positive practices and behaviours cascade down and throughout the organisation.
Create a data incident playbook
A good playbook is vital to responding to a cyber incident. This combines the policy, key actions, procedures and communications associated with responding to an incident.
Your playbook should typically cover these topics:
- Incident reporting and recognition
- Appointing your Incident Lead and first responder team
- Establishing the facts key rapidly. Agreeing tasks to be carried out within the first 24 hours. For example, review what you know so far, ensure evidence is documented, carry out forensics, confirm if any personal data has been breached, stop any further data loss, alert key people & partners, and so on.
- Identifying, assessing and documenting any risks to individuals whose data may have been breached
- Rapid and effective triage to mitigate these risks
- Escalation and internal communications
- When to notify the regulator and when/how to notify data subjects, if appropriate.
- External communications and PR.
It’s wise to also consider carrying out a simulation exercise using likely scenarios, so you can see how well your plans work in practice.
Learnings after a breach
Prevention is clearly vital, but personal data breaches WILL happen, as the stats clearly show.
Whether it’s caused by a cyber-attack, the actions of an employee, a software vulnerability, loss of an unencrypted device, or indeed something else, a personal data breach has the potential to seriously damage your customers’ trust and your reputation.
Being prepared, means you can act swiftly, following a clear plan, with pre-defined actions and responsibilities. In the words of Lance Corporal Jones from Dad’s Army fame, you really can say “Don’t panic!”.
Simon Blanchard, March 2021
Our experience team can develop or review your incident procedures, run simulations and provide rapid support in the event of a suspected or actual personal data breach. Contact us
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.