Being adequately prepared to respond to a data breach is an ever-changing game – new threats are emerging, new regulations are being put into place and companies must regularly re-evaluate their response plans to ensure they are applicable to today’s threat landscape. Unfortunately, many companies are not reviewing and updating their plans frequently enough – in fact, only 25 percent of companies say they update their response plans once or twice a year. Not to mention that no matter how well prepared and updated a company’s plan is, an actual live breach response can present unforeseen challenges that cause companies to stumble.
At Experian Data Breach Resolution, we consistently see similar “fails” from companies across all industries during their planning and response to data breaches.
Failure to work with the proper external experts who can help you navigate the issue.
The team you surround yourself with during a data breach response is crucial to executing a smooth response which in turn can reduce the financial fallout and ensure the breach is contained quickly. This includes working with external experts in IT forensics, cyber insurance, legal counsel, communications and data breach resolution that will help companies follow best practices. But it’s not enough to simply have a list of experts to call on once a breach happens – these are experts you want to start building relationships with before a breach occurs so you can quickly and efficiently assemble the right people when necessary.
Failure to anticipate emerging threats that complicate breaches, such as ransomware.
The threat landscape is anything but stagnant – new threats are emerging constantly, and a one-size-fits-all response plan will not account for attackers’ latest techniques. One emerging threat that many companies have yet to plan for is ransomware. This attack can have a lasting impact on organizations, including malware left behind that could cause further damage down the road. When faced with a ransomware attack, organizations need to move quickly to respond to the attacker, as well as communicate with regulators regarding the incident. By accounting for and practicing a simulated response to a ransomware threat ahead of time, companies can decide under what circumstances they would pay a ransom and determine the best way to work with regulators to report an attack.
Failure to practice or incorporate “worst-case scenarios” in data breach preparedness plans
Practicing a data breach simulation is a well-known tactic to ensure data breach response plans are relevant. Unfortunately, only 55 percent of companies include a fire drill as a part of their data breach response practice. When they are completed, simulations are often conducted around a conference room table and follow a predictable cadence, which doesn’t pressure-test for real life circumstances. Instead, companies should include more difficult scenarios in their practicing, conduct fire drills at surprise times to see how the team adjusts, and conduct the drills in realistic settings that would mirror a real life breach response.
Failure to properly communicate while an issue is under investigation.
Many organizations are extremely cautious about how and when they communicate to the public that they have experienced a data breach. And rightly so – communicating too much information before all of the facts are known could lead to misspeaking about the breach or expose security weaknesses that other attackers could take advantage of before security practices are properly shored up. But waiting until a breach investigation is over, which can take weeks or months to complete, can leave customers, stakeholders and media without any official comment from the company to reassure them that the breach is known and an investigation is underway.
It’s important for companies to strike a balance for communicating about a breach investigation. Companies should talk about the steps they are taking to investigate the issue, but consider resisting sharing any hard numbers of consumers impacted or making any definitive statements. By communicating steps taken when an investigation has started but is not complete, companies can demonstrate that they are transparent and operating in the full interest of their customers.
Failure to engage all key audiences.
Lastly, for many companies, the first area of priority when communicating about a data breach are impacted customers. While this makes sense on the surface, there are other important groups – employees, partners, the customers’ customers – that also need to be properly and quickly informed to help protect brand reputation. The first step is to ensure you are accounting for all key audiences in your response plan, and tailoring the best way to communicate about a data breach to each impacted group. This could include packaging up specific guidance for individual audiences, sharing resources to help different audiences ask questions or receive updated information, and holding internal town halls to allow employees to voice their concerns directly.
The good news is companies don’t need to learn about these “fails” the hard way. By addressing these potential pitfalls in response plans, companies can work to get ahead of these issues.