As the era of Big Data continues to march forward, so does the number of data breaches. Organizations seem to become more vulnerable every day with breaches rising at an alarming rate. In fact, studies, such as “Quantifying the Data Breach Epidemic” from IBM, indicate that companies are attacked an average of 16,856 times per year, and many of those attacks result in a quantifiable data breach.
And with the average breach costing $5.4 million for businesses in the United States, according to the Ponemon Institute, it’s important to be prepared. Multiply that by the hundreds, thousands – even millions – of records that are typically compromised in one breach and you begin to realize just how costly a data breach is both on reputation and a company’s bottom line.
With this reality facing us, many security experts are convinced that data breaches are inevitable. So if that is the case, what can your organization do to minimize the damage? Based on experience servicing some of the largest breaches to-date, including three of the four largest breaches in 2013, Experian Data Breach Resolution has compiled six important lessons learned from the data breach trenches.
For more guidance on how to prepare for a data breach, you can also download the Experian Data Breach Response Guide, which is available for free.
Michael Bruemmer is vice president with the Experian Data Breach Resolution group. A veteran with more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to sales and operations.
Click through for six data breach best practices that can help your organization minimize the damage caused by a data breach, as identified by Michael Bruemmer, vice president with the Experian Data Breach Resolution group.
No one is foolproof: We’ve learned that every sector is susceptible and when cyber criminals find vulnerabilities, they will use them time and again to attack organizations in the same industry. We’ve seen this with any business – from banks and retailers to the health care industry. While you may not be able to avoid a breach, security professionals can significantly reduce the costs and reputational fallout by being prepared. That means having a strong IT security posture, a chief information security officer or outsourced IT consultant, and an incident response plan. An up-to-date response plan can save an organization nearly 25 percent per record, which in the U.S. can mean a savings of $1.1 million per breach.
Your response plan – similar to a fire drill – should be practiced and backed by a solid team, which includes C-suite executives, IT, legal counsel, forensics, breach resolution providers, public relations and human resources.
It pays to listen: When an organization employs a collaborative process, it usually has a much better outcome. That means IT professionals should be listening to experts, such as forensic teams, breach resolution providers, privacy attorneys and public relations or crisis communication consultants. After all, these firms walk, talk and breathe data security and data loss every day. According to a recent study from the Ponemon Institute, organizations that hire consultants to help with their data breach response and remediation efforts have lower costs per capita for a data breach.
Investigate first, talk later: Many organizations feel pressured to inform the public – especially the media – as soon as they discover a breach. This, in turn, can induce panic among consumers and lead to poor decisions and crucial mistakes. Instead, the best practice is to finish the forensic investigation before announcing the breach. If the situation somehow leaks, then provide the press with what you know and tell reporters you will give them the rest of the information when the investigation is over. If the incident isn’t leaked, then wait until the conclusion of the investigation. That way, you will have all of the facts in front of you when you announce it. More than 65 percent of polled consumers want to know the risks or harms they may face after a data breach. That means providing detailed, accurate information.
Rebuild trust with customers: Oftentimes, organizations treat a breach like a compliance issue. In other words, they take all of the correct steps and check off all of the boxes on their forms. But in the process, they often forget about the people affected by the breach – their customers, patients or employees. They’re the ones most likely to call the media, litigators and maybe even switch to the competition.
Organizations need to think about their breach population and rebuild trust with them. That means sending clear, honest breach notification letters or emails; providing well-rounded credit monitoring or identity theft protection; and keeping an open line of communication. In fact, a recent study finds that most respondents believe organizations should provide protection following a data breach; 63 percent of those polled said breach populations should receive identity theft protection, while 58 percent said they should receive credit monitoring services.
Befriend regulators: In the absence of federal legislation, state regulators and law enforcement are devoting more time toward helping organizations prevent incidents and protect consumers. It’s in your best interest to develop relationships with regulators before you suffer a breach. If you’ve already experienced one, however, contact regulators as soon as possible. Organizations that are more proactive with regulators could have a faster and smoother response – regulators do not appreciate being left out.
Invest in cyber insurance: Nearly all of the organizations Experian assisted last year had cyber insurance. The number of companies purchasing these policies continues to grow. The 2013 Betterley Report estimates that $1.3 billion in annual premiums were collected by U.S. insurance companies in 2013. Cyber insurance is a good investment, as it can help organizations reduce the cost of a breach. Many times, insurers can help the response go smoother by offering access to data breach experts and providing other valuable services. But as with any investment, IT security professionals should shop around for the best deal and it may be wise to use a broker, instead of an agent who only works for one company.