The key steps to managing a data breach

In today’s online working world, data breaches are a rapidly growing risk. You can no longer simply assume that your networks are safe and secure; be prepared so you can act fast if the worst should happen.

Your goals should be threefold: 

1. Strengthen your network security as much as possible
2. Stop data from being stolen
3. Fix the damage so it doesn’t happen again

We’ve put together a comprehensive guide on data breaches to get you started.

What is a data breach? 

A data breach occurs when malicious actors gain unauthorised access to a system. This causes the system to become compromised, and the malicious attackers gain sensitive or confidential information.

Data breaches can happen due to a multitude of reasons. A very common cause is poor security procedures: for instance, an employee could have their login credentials stolen; or an attacker could gain access to a password-protected system.

These breaches can happen anywhere: from hospitals to banks, or schools to news agencies. The potential of privacy and security being jeopardised is a serious threat to any organisation, and can have equally serious ramifications.

In October 2017, US credit reporting organisation Equifax had multiple millions of data records stolen under its watch. The theft occurred due to a vulnerability in third-party vendor Apache Struts. An employee tasked to patch the vulnerability did not do so. This resulted in a series of spiralling events that ended with the data leak and the loss of millions of data records.

Equifax was fined around $900,000 AUD and has since spent a further $1.4 billion AUD upgrading its security. The data breach was the type dreaded by companies worldwide, and stands as a testament to the importance of cybersecurity and incident response plans.

The ramifications of a data breach

A security breach can be caused accidentally through human error, or through an organisation’s failure to implement effective security systems. It can also be caused deliberately in the form of a malicious attack perpetrated by an outside party.

Whichever the initial cause is, the consequences are dire:

• Identity theft or fraud
• Financial loss (both organisation and its customers)
• Business’ reputation damaged
• Business opportunities or employment loss
• Loss of customer base
• Disruption of services
• Unsolicited marketing/spam emails
• Physical harm or intimidation

The legal ramifications are also severe. The Australian Privacy Act implemented a Notifiable Data Breaches (NDB) scheme in 2018 that requires organisations to notify affected customers, partners, and the Office of the Australian Information Commissioner (OAIC) of data breaches.

The purpose of the NDB scheme is to ensure affected individuals are notified if their personal information is involved in a data breach which could cause them serious harm. It also holds organisations accountable for privacy protection.

Consequences for failing to act under the NDB scheme in the event of a data breach depends on the type of breach. Fines can range from $525,000 to $2.1 million AUD for a corporate body; and from $105,000 to $420,000 for any other organisation.

Preparing for a data breach

Assuming that the worst will eventually happen is the first step to being fully prepared. To minimise the consequences of a data breach, you should have an incident response plan to act upon.

This plan will require different types of training and policies, depending on the needs and functions of your business. Generally, a series of “to-do” lists will provide information and tasks for you to cover in the event of a data breach.

Your incident response team should consist of:

• Response team: tasked with shutting down your networks
• Legal team: tasked with sorting out potential legal actions and consequences
• Public relations: tasked with liaising with the public via press releases, social media, etc.
• Executive team: tasked with communicating to affected individuals what has happened

Each individual within your organisation – or outsourced support, such as managed services or lawyers – should be fully aware of their duties. Running data breach test simulations regularly will keep the incident response plan fresh and your response team confident.

Doubling down on your cybersecurity is another strong avenue to take in preventing data breaches. Using two-factor authentication, application whitelisting, and regular employee security training will further minimise the possibility of a breach.

How to manage the data breach

If your private information has been accessed by malicious actors, it’s time to put your incident response plan into action.

Four key steps you need to know when managing a data breach:

1.   Contain the breach once it has been detected before it can do any more damage to prevent further data compromise. Document every step and any information that can be useful to forensic investigators in the next step.
2.   Assess and investigate the circumstances of the breach – what is the risk assessment of harm to affected individuals?
3.   Notify affected individuals and the appropriate supervisory authorities. In some cases, fines are issued if breaches aren’t reported within certain timeframes.
4.   Review the data breach and response. Create a long-term strategy to prevent future breach events and improve incident response.

Once the breach has been dealt with, you need to ensure that the evidence is preserved. This can help your forensics investigations team discover who was responsible. Preserving the evidence can also give you insight into your network vulnerabilities that need stronger security or patches.

Your legal counsel will advise you on how to publicly address the incident. Check if the incident falls into the NDB scheme parameters, and follow the scheme’s guidelines on informing affected individuals about their personal data.

If you delay informing the public about the breach, it is likely people will find out from another source. For instance, an employee could leak the news through their personal social media. This could make it look like you have something to hide. Send out a public statement as soon as you possibly can.

Get help from the experts

Planning for and subsequently managing a data breach can be tricky business, particularly for smaller companies. Breaches can happen very quickly, and your employees may not be equipped to handle them quickly or efficiently.

Get top-quality advice and support from the specialists at Essential Tech. They can help you plan for the worst, act fast in the event of a breach, and strengthen your security to minimise the risk.