How to understand the true implications of a data breach for your organisation
The path to enlightenment
If a business or organisation suffers a cyber-attack resulting in the loss of Personal Identifiable Information (PII) then they will have to notify the people impacted if they are deemed to be at high risk of identity theft. The first time most organisations think about what this truly entails is after they have suffered a data breach.
Working out what to tell customers, what channels to use, how to handle queries and how to allocate sufficient resources to manage the response is complex – made even more difficult in the heat of a post-breach situation when speed is critical and your reputation is at stake.
It is so much better to do all of this thinking, planning and preparation in advance. So many organisations come to us in a crisis situation when they need to react fast to minimise the damage of a data breach – without knowing where to start. That’s why we advocate a pre-breach consultation, which enables organisations to go through a logical process to determine what a data breach recovery would look like for them, and how it could be managed and resourced. Every organisation is different, which means that every response plan needs to be customised.
Visualise your notification campaign
The first step is to consider how many customers you might need to inform following a data breach, and how you will contact them. The preference for many businesses is to contact customers by email, in which case you need to ensure you have email addresses for every customer. If you don’t, you will need a postal address or phone number. Think about how long it will take to contact all of your customers. Your desire may be to contact everyone within 24 hours of a breach, but if you have a million customers that simply will not be possible. Three to five days is more realistic. If you know this in advance, you can set expectations and prepare appropriately.
Prepare your messages
Next you need to think about what you will tell customers. To some extent, this will need to be adapted following a breach, to reflect the specific nature of the incident. However, many key messages can be agreed in advance, and these will need to be signed off within your organisation – particularly by legal teams.
What entity or brand will you use? Do you have multiple brands across international borders, for example. Do you need different messages for different cohort groups, such as employees, customers, pension holders and others? If you can pre-approve messages and templates for all groups in advance, it will save so much time following a data breach.
Get your resources ready
Having determined how you will contact customers and what you will say, you need to think about the resources required to deliver this communication campaign. Do you have the skills and resources to handle this in-house, or will you need external support? Do you need to train people in advance, so they are ready to respond quickly in the event of a crisis?
What about the resources you will need to handle queries from affected customers? If you are informing thousands of people about a data breach, how will you handle potentially hundreds of incoming calls? What will you say to people? If your customer base is international, do you need agents who can answer queries in different languages? Ideally, you need to have scripts prepared in advance to ensure you give consistent messages to those affected. Failing to respond to incoming queries could be hugely damaging to your organisation. Having informed customers that their data has been compromised, you will compound people’s anxiety and uncertainty if you are unable to answer their queries promptly.
What is your attitude to risk?
Having understood the implications and the response requirements, you then need to think about your risk appetite. How much do you want to invest in preparing in advance, and how much are you willing to leave to chance? If you need external call centre resources to manage your response, are you happy for these to be provided on a ‘best endeavours’ basis? That means your crisis response provider will do everything possible to provide the resources you need, but without providing any guarantees.
Response resources are finite, and if there is another breach on the scale of the MOVEit exploitation, those resources could be in short supply. An alternative is to pay a retainer for a “reserved response” service, which guarantees that the resources you need will be available in the event of a data breach.
Implications for your whole organisation
There are lots of balances to strike in planning and preparing for a crisis response. One thing that quickly becomes clear is that this is a business issue, not just an IT issue. The impact of a data breach affects the entire organisation and all its customers or service users. Clearly, suffering a cyber-attack is extremely disruptive to business operations, requiring significant work to get IT systems back up and running. But in addition, managing your customer response and helping to minimise financial and reputational damage is just as complex and fraught with challenges. There’s a lot at stake, so it’s important to get it right.
Throughout our consultancy work, we aim to serve up a dose of reality and enlightenment. We help organisations to assess what they will need to do in practice, how long it will realistically take and what they can do to prepare for an efficient and professional response. The outcome is a well-considered “consumer response plan” that can be signed off by the board and which enables everyone in the business to understand their role in the event of a data breach. How to ensure this plan is resilient and can be enacted in practice will be the subject of my next blog.
How can we help?
If you’re concerned about the impact of a data breach on your organisation, please get in touch with our crisis and data breach response specialists via email to book your consultation or call 0844 4815 888 to talk about the Reserved Response options and consultancy available to you. Alternatively, please visit our website for more information.