Could Your Business Suffer a Data Breach?
Barely a day goes by without the report of a data breach, also known as a data spill, unintentional information disclosure or data leak. But, closer examination reveals that these situations are more insidious than we know.
“We often don’t hear about a data breach as most incidents go unreported,” says Michael Bruemmer, vice president of Experian Data Breach Resolution, who likens this situation to an iceberg in which eighty-five percent of the mass is below the water and only the top fifteen percent is visible. The prevalence of cybercrime is echoed by the National Small Business Association, which states that many small firms know “little or nothing” about cybersecurity. “Every company — regardless of how large or small it is — needs to be prepared for a data breach,” Bruemmer continues.
New Survey Conducted by Experian and Ponemon Institute
Understandably, the current and continuing proliferation of cybercrime makes companies nervous. Recently, the findings from a survey conducted by Ponemon Institute, widely considered the pre-eminent research center dedicated to privacy, data protection and information security policy, and sponsored by Experian, a leader in helping businesses prepare for a data breach, was released. According to this study, sixty-nine percent of respondents said that media coverage of payment breaches over the past year had caused their organizations to re-evaluate and prioritize security.
When a big company is affected, everyone knows about it — fast. However, a breach can happen regardless of company size. Among the major causes contributing to a data leak, especially among smaller organizations, are employees leaving systems unattended; visiting restricted sites; browsing social media; and clicking links embedded in spam. Other contributing factors include the loss of a laptop, tablet or other mobile device by an employee; failure to back up information often enough; plain old system glitches in which something stops functioning as it should; and the lack of solid data protection policies. Companies should set up individual passwords for every employee and require each person to change his password frequently.
The Ponemon/Experian survey found that sixty-eight percent of respondents reported that pressure to move to a new payment system, such as credit cards with embedded chips, puts consumers at risk. In other words, new and improved technologies are useful but changing over a system can in itself cause problems.
How Should Small Companies Handle a Data Breach?
All this sounds like games only the big kids on the block, i.e. major retailers, can play, but many vendors in the children’s industry are small companies. What can they do to keep information secure?
In response, Michael Bruemmer offers these tips:
- Understand the kind of data you store and how that puts your company at risk. Take a good look at all information your business collects be it credit card data, e-mail addresses, zip codes and even buying preferences. Understand the ramifications of information you gather.
- Develop an incident response plan. “Similar to having a fire evacuation plan, the time to do this is before anything happens,” cautions Bruemmer. Review your plan as often as needed which means every time your company undergoes a change, even a small one. If a data breach does happen, take a long, hard look at how it was handled and make necessary changes to improve the situation should it ever happen again. It’s not only Boy Scouts who should “be prepared.” Quick action can help stop further loss and potentially costly customer backlash that can maim both a company’s reputation and its finances.
- Practice your plan. Everyone who will be involved if a breach take place needs to know their precise role and be prepared to handle it smoothly. Take the time to think through and analyze who will take the lead in decision making, contacting key players, speaking to the media if this proves necessary, and a host of other factors. It should go without saying that your contact information for anyone who would be involved in the event of a breach is always up to date.
- Consult your company’s attorney and discuss what he or she would recommend for your company should a data breach occur. Bear in mind that not all local lawyers are versed in this area; if yours isn’t, get a recommendation to a specialist. With a lawyer’s help, figure out what groups your company needs to notify, for instance, affected individuals, the media, law enforcement, and other third parties.
Managing the First Twenty-Four Hours
During the period right after a breach is revealed, companies should take certain steps. Panic has no place here; a calm attitude and a detailed check list spelling out who does what does. Start by recording exactly when the breach was discovered and alert everyone who will be involved in responding. Stop further loss even if it means taking down some systems for a bit. Keep a log about the breach including who reported it to whom; who knows about it; what data was compromised and how, etc. Speak to all those involved in discovering the situation and write down your findings — later on it’s hard to remember small details.
To help companies regardless of their size deal with the growing concern of cybercrime, Experian has developed a Data Breach Response Guide which lays out steps showing how to create and manage a data breach plan in easy-to-understand language. The Guide, updated annually, is available for download online or by calling Experian at 866.751.1323.
About Experian
Experian is the leading global information services company, providing data and analytical tools to clients around the world. The company helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps people check their credit report, credit score, and protect against identity theft. In 2014, Experian was named by Forbes magazine as one of the “World’s Most Innovative Companies.”
About Mari Gold
Mari S. Gold is a New York City-based freelance writer who contributes to many magazines and websites. Among the topics she covers are food, travel, health, the arts and consumer goods. An avid traveler, her blog, “But I Digress…” , deals with travel, food and life experiences at www.marigoldonline.net.