Data breaches are commonplace. Every organization that handles sensitive or private data should have a proper capability to respond to an incident. Many companies have a basic set of procedures, while others maintain a mature set of people and processes. A small percentage of organizations over the years have refined their capabilities to a professional level. Knowing where you stand and how you can improve is key to finding the right level of information-security preparedness.
Source: information is beautiful.
Data breaches are an epidemic
The health industry took a beating in 2015. A record amount of sensitive health care files were taken or went missing. According to the US Department of Health and Human Services Office of Civil Rights, about 35% of the US population had their health records exposed in 2015.
Government, financial, and technology organizations were also targeted. In total, more than 707 million records were lost or stolen in 2015, according to Gemalto’s Breach Level Index. In reality, no company is safe.
This frequency is why it is important to not only have strong preventative controls, but also a good set of processes and resources to respond to an incident. Proper crisis response can limit the damage and prevent recurrences.
Responses to a data breach
Basic controls are employed to handle the crisis and close the vulnerability of the leak. This is the very minimum. Many companies that lack forethought assemble this team after the first major data breach is detected. Yet this stage is chaos. Trying to deal with an unfamiliar situation while under the scrutiny of customers, regulators, and executives can be a nightmare. This level of capability is typically slow and focuses exclusively on aspects of the single breach.
Management is usually misguided into thinking this was a one-time event and will never happen again. The marching orders are to find this problem, resolve the issue, and return to business as normal. The weakness lies in not understanding the vulnerability is likely systemic. Plugging a hole in the dam with one finger does nothing if you ignore all the other cracks.
Mature capabilities are usually a sign of experience. These companies have had a data breach before and realized they needed to look for other weaknesses to be prepared for the next one. This approach is a realistic way of thinking, although not popular with executives. They would rather not have any incidents, and then realize the cost for such controls would be obscenely expensive. So they strike a balance. These organizations conduct risk assessments to find vulnerabilities in their data handling, may choose to pay for breach insurance, and will have internal accountability clearly established.
Professional-level data-breach capabilities are found in organizations that understand the value of their data, regulatory compliance, and the trust of their customers and partners. The best external consultant teams also possess these skills. They can swoop in and address all aspects, but for a price. Professional-class organizations carefully protect the information under their control but also put serious measures into detecting breaches and responding very quickly. They plan and regularly test their response capabilities, working to keep them current with business and infrastructure changes. Experts work with production teams to help establish compensating controls, so the business can continue to operate, even during an incident. Finally, they work to keep costs down and fine-tune the capabilities to maintain the optimal balance of corporate security, productivity, and costs.
The right level
There is no universal right level of preparedness. Every organization is different. Companies have varying risk appetites, various regulatory requirements, and oversee different types of data. In general, the more serious the consequences of a data breach, the more an organization should be looking toward mature or professional levels.
Data is valuable and breaches will continue to occur. No organization is immune. When preventive controls fail, rapid detection and competent response is required to minimize the immediate and long-term losses.
Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.