Adobe, Kickstarter, Target… the list of huge companies whose customer details and other sensitive data have been leaked to the world seems to grow every week. And if it can happen to them, it can happen to you. So what do you do if one day you find out it’s YOUR company that has become the hackers’ latest target? Here we offer our step by step guide to coping with a data breach crisis:
1. Prevention is better than cure
Of course, the best way to deal with a data breach is to stop it happening in the first place, and there are several things you can do to tighten up your security. The key principle here is minimizing your risk of exposure: establish robust data protection protocols and train your people how to follow them. Limit access to important systems and sensitive databases, and use secure communications and two-factor authentication as a matter of course.
Financial data should be kept on a separate computer, and BYOD devices should be secured by your IT team before they are allowed access to your network.
2. Keep on top of network security
There are a few simple steps you can follow to ensure your network stays resilient against common attacks. First of all, ensure you install software and operating system updates on all devices in a timely fashion – including those brought in by your employees.
Hire a reputable company to perform periodic penetration testing on your network, which will help identify and secure any weak spots – and ensure unauthorized users don’t find them first. Set up automatic alerts if there is any unauthorized or unusual activity on your network – so someone empowered and able to fix problems is made aware if anything happens.
Designate a compliance officer who can assume responsibility for employees following your data protection policies – and remember to treat all vendors in the same way: ensure they are vetted, and require them to test their networks to the same degree as you do.
3. Don’t Panic!
If, despite your best efforts, an emergency does arise, it’s best to be prepared. Establish a process in advance so when the worst does happen, everyone knows what to do. Establish a single point of contact to deal with stakeholders and keep everyone updated. Draft a communications plan including drafts of statements so you can stay in control of information flow. And, most importantly, start managing the situation immediately, even if you don’t have perfect information. Every minute counts if you are to keep your customers’ trust.
It’s an old saying in business that it isn’t the mistakes you make that matter; it’s how you deal with them. It’s vital that you give customers a remedy for the problem you’ve presented them with: establish a call center that can help if sensitive information has been compromised. For key customers, it pays to talk face to face. Hosted conferences are a good way to get this level of contact at very short notice, so you can announce the problem properly and establish action plans. Most importantly, hold regular drills so everyone in your company knows what to do.
Of course, no policy or safeguard can ever be 100% foolproof. But by taking these simple steps, your business will be more resilient, more robust – and more ready to regain the trust of your customers if the worst does happen.