Data breaches are a reality in today’s business world. Experiencing one or hearing about one is no longer a surprise to many, especially professionals in the security industry because there is no wholly secured system. The best line of defence is a thorough and ongoing data security program. Therefore, having the plan to respond to and recover from a security breach is essential for every organization of any size. No company, big or small, is immune to a data breach. Many small and medium companies falsely believe they can elude the attention of hackers or cybercriminals, yet studies have shown the opposite is true. According to the Symantec SMB Threat Awareness Poll Global Results, 40 percent of the data breaches in 2011 were at small to mid-sized companies.
What is a data breach?
A data breach is unauthorized access to, disclosure of, or loss of the personal, health, and sensitive information that an organization holds or processes. This definition, therefore, brings to our knowledge that some organizations may have experienced, for example, losing a USB with copies of personal data without recognizing that was a data breach. Most organizations have only considered hacking or ransomware attacks as data breaches, but it goes beyond just that.
Below are some potential data breach examples:
Whatever the cause of the data breach, some form of harm can cause the organization’s employees and customers or clients. The harm may include financial, social, reputational, psychological, or physical impacts on an individual and reputational or financial damage to the organization itself.
Since data breaches are becoming more common, how a company responds to one can go a long way to maintaining its business reputation and keeping it from losing the trust of its customers, and avoiding or reducing hefty fines by regulatory authorities. As with any crisis, a quick and decisive response is critical. But here is the problem: most breaches go undetected for a long time. According to FireEye’s 2016 Report, it took organizations across the world an average of 146 days to detect a data breach. A separate report found 81 percent of data breaches are not detected until news reports, law enforcement notifications, or external fraud monitoring. The longer a breach goes undetected, the more harm it can do to your business.
Security breaches committed against you or an organization with access to your personal information are serious crimes and are understandably stressful to the victims. Most data protection laws require private organizations and government entities, which have access to or process personally identifiable information, to notify affected individuals in the event of a security or data breach. So, if you read about a data breach in a news report and are unsure if you are affected, you will probably be notified in the event of an emergency.
As stated clearly by VISA: “Because data compromises are often complex, it is challenging to make the rapid communication decisions needed to mitigate the potential harm of a breach. These situations are often further complicated by the reality that every data breach is different and there may be no precedent within your organization for responding. But the stakes for handling a breach effectively could not be higher, and the impact on your business — depending on a variety of factors — can be huge. The impact of a poorly handled breach can reach throughout your business in both the short and long term: bad press, lost sales, mitigation, and litigation, as well as the uphill battle to rebuild your reputation”
The first step is to identify the type of attack that occurred and which aspects of your data – personal information or organizational data – were potentially affected. If, for instance, the theft was to a company’s payment system, then it is highly likely personal payment information would be at risk. Suppose a security breach got access to personal identification information, such as accessing ID-based information or details–such as passport, Ghana Card, Voter’s ID Card, or driver’s license number. In that case, you could be the potential victim of identity theft.
According to the Cost of a Data Breach Report, data breach costs surged 13% from 2020 to 2022. You cannot afford to be unprepared for a data breach’s aftermath. It is up to you to control the situation and protect your brand in the wake of a data breach’s potentially devastating hold on reputation and also to avoid hefty penalties by regulatory authorities or supervisory agencies.
Data breach response policies are essential for organizations of any size. A response policy should outline how your company will respond in the event of a data breach and lay out an action plan that will investigate potential breaches to mitigate damage when a breach occurs.
When an organization realizes a data breach; whether hackers took personal information from your corporate server, an insider stole customer information, or information was inadvertently exposed on your company’s website, you need to be strategic and tactical in dealing with the incident.
The following are some suggested steps elicited by The Federal Trade Commission (FTC) to take in dealing with a data breach:
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact the author ekgadasu@gmail.com or Mobile: +233243913077