In the present day and age, we face risks of cybersecurity and consequential data breaches from both internal and external sources. Ideally, we would prefer to avoid the occurrence of a cyber breach altogether – they cost time and money to clean up, and are detrimental to our reputation. But even the most robust systems are not impervious to a breach. Being slow to detect and contain a breach can be costly. This necessitates a speedy response, to mitigate the severity of adverse impacts with the help of data breach risk assessment.
More often than not, once the breach takes place, it leaves us pondering – “What could have been done better?” So, how can you put in place a plan of steps to prevent a data breach that can address a breach when it happens, and quickly move from reactive panic to proactive progress?
The financial impact of suffering a data breach is high for companies across all sectors, regardless of size. With the increase in data security risk, Studies indicate that the average cost of a data breach has been on the rise over the last few years. However, the costs are getting smaller for prepared companies and larger for those that don’t take any precautions. The regulation also plays a role in determining what a company would have to pay to recover from a data breach. With the introduction of legislation like GDPR, compliance is becoming a significant contributor to the cost of a breach. The cost of breach is higher in heavily regulated industries e.g., healthcare, and financial services, compared to less regulated industries e.g., media, and hospitality. When these breaches occur, oftentimes it will be found that most companies would not have enlisted the service of experts. Companies that aren’t willing to pay for the expertise to ensure compliance may well suffer regulatory fines, which are becoming increasingly steep. With the threat of such large fines, companies should be proactive to gain a favourable view from regulators.
It is a common refrain that suffering a data breach is almost inevitable and, consequently, the best way to keep costs low is to be prepared for every eventuality with help from the data security management team. However, you shouldn’t just have a paper that says, “here’s the contact information for the security team”. Instead, it is imperative to actually rehearse these types of data security risk scenarios in an immersive environment where it is possible to test out plans, identify gaps, and then, ideally, contain those. This results in vast levels of preparedness at the time of incident response. Having an incident response (IR) team, testing the IR plan using tabletop exercises or simulations can lead to savings compared to those that had no such measures in place. The worst way to get experience at incident response is by having an incident, and the best way is to simulate it in a safe environment beforehand.
Losing stakeholder trust ultimately leads to loss of business, which can increase the overall cost of the breach. A huge component of it is the communications in the aftermath of a breach and during a breach – How do we effectively get the messaging out to our stakeholders about what’s going on? Handled correctly, these data security risk events can be an opportunity to build goodwill and generate confidence. But, of course, this requires a lot of preparation and training.
Recommended steps to effectively manage and prevent a data breach would be: Accepting responsibility and finding the cause (“Don’t cover it up!”); Identifying the source and spread; Having a plan in place can limit the financial, reputational, and legal ramifications of a data breach; Putting together a response team – having a comprehensive team in place will help create a multifaceted plan that addresses all the issues a data breach may create; Make note of the lessons learned – increase monitoring and improve communication; and, most importantly, when dealing with a crisis – think before you act.
In the current climate, remote working (if not managed properly) can potentially expose systems to even more threats. COVID-19 changed remote working from a nice-to-have for some employees to a core requirement for almost the entire workforce. Although its full implications remain to be seen, it is indisputable that organizations are now facing a lot of decentralization – new network structures that are potentially reaching out to private, unsecured, or unknown networks.
In times to come, this would also lead to dramatic changes in the landscape of the investments that organizations make.
Ideally, making more proactive investments and truly looking to prepare, rehearse and ensure that they can limit the impact of the losses resulting from these types of breaches.
Organizations with successful response plans and an efficient cybersecurity risk management team will be able to recover quickly while retaining the trust of their stakeholders
Blog Author: Arup Chakraborty, Independent Consultant, Ex-Executive Director & Group Head – Internal Audit at RP-Sanjiv Goenka Group