From the stomach-churning moment you discover your organization has lost customer records or employee details, to the moment regulators are breathing down your neck for answers, suffering a data breach is by no means pleasant, but the way you respond will have a profound effect on the future of your business.
With 60% of breached small organizations closing within six months and 93% of organizations that lost their data center for ten days or more filing for bankruptcy (Source: National Archives & Records Administration), it’s time to face facts. How you would deal with your first data breach?
Below are five essential steps to surviving your first data breach:
- Hit the ground running
Speed is of the essence, so it is essential to act as soon as you can. A breached organization that acts quickly is looked on favorably by regulators, as well as the media and its customers.
- Gather evidence
It is critical to discover exactly what has been leaked – which customers have been affected, by whom, and when. You need to gather as much information as possible (usually by deploying forensic security professionals). If your network is a crime scene, it needs to be treated as such.
- Disclose and inform
Once the seriousness of your breach has been established, your next step is to notify interested parties. Even though you’ll want to keep the breach as quiet as possible, there’s no doubt that customers and other important stakeholders need to be aware. Plus, it’s better if it comes from you rather than reading it on the front page of the New York Times.
- Keep your customers onside
Understandably, your customers will be worried about what the data loss means to them, so sharing as much information as possible as well as positive routes to remediation will help.
It’s common practice to offer a credit monitoring service, and some customers will also want reimbursement for having to go to the trouble of replacing their driver’s license and other forms of ID.
- Formulate a media strategy
If your breach is going to be outed to the media, it’s best if it’s on your terms. Appoint someone in your team to liaise with the media, otherwise journalists will go to their second and third sources, which may be people you don’t want to hear talking.
Keeping the media and public posted is critical to external perception of the way the crisis is being handled.
These five steps were taken from Stewart Mitchell’s pocket guide, ‘How to Survive a Data Breach’, which provides an essential guide for CEOs and directors who would like to have a tried and tested procedure in place for dealing with data breaches. The pocket guide is available in softcover, eBook, ePub, and Kindle formats.