When hackers penetrate your public and private networks, it can lead to devastating consequences. A data breach can not only destroy a company’s electronic data, it can also bankrupt a business.
The average data breach costs $4 million, according to a 2016 study from IBM. The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158 over the past year.
When it comes to the volume of attacks, the numbers are simply staggering. It is estimated over 900 million records of personally identifiable information (PII) have been stolen in the U.S. over the past few years, according to NetworkWorld.com.
Any company in any sector can be hacked. So what should business do if they are the latest victim of a breach? Having a proactive cybersecurity strategy is a company’s best defense. Following these three essential R’s is a defense strategy that should be stored in every company’s first aid kit:
Identifying the source of the incident is paramount to minimizing the resulting damage. Internal controls play a significant role in identifying a hacker’s point of entry.
Monitoring logs and access to networks is especially critical because this is where signs of a breach will likely turn up. Large file transfers that do not regularly occur could be a sign of a security incident, as could the slowing down of a usually large bandwidth network.
A company’s incident response plan to unauthorized access should be able to cut off the access point, slow down the intruder, preserve the environment that has been compromised and speed up recovery. This can be accomplished through proactive monitoring, user training and a layered security approach.
Forensic analysis will likely be required to determine the full range of files compromised. If a company does not have the means to do a full forensic analysis internally, it should enlist the help of an outside provider experienced with cybersecurity risk mitigation. A third-party provider can reduce the risk that an unauthorized user still has access to a company’s electronic data and assist the company in taking the appropriate steps to prevent a similar event from occurring in the future.
Companies must also notify all affected parties. No matter what was accessed, companies will likely need to communicate information about the breach. It is rare to find a breach that does not involve additional regulatory requirements related to disseminating information about what happened. Many states have breach notification laws, and companies will need to consider which notification laws would apply to their case.
Companies experiencing a breach may also be required to provide services that monitor credit reports and other information related to financial security to the individuals affected by the breach. This service would have to be provided for one to two years, depending on the severity of the incident.
The company will also be subject to payment card industry data security standard (PCI DSS) oversight. PCI DSS has four tiers of monitoring, with the first being the most stringent. Companies subject to Tier 1 PCI DSS monitoring will have to provide due diligence to demonstrate that the environment around the credit card information is secure. A company in possession of credit card data that have been breached is automatically held to the highest tier (Tier 1) requirements.
Compromised healthcare records will have to follow Health Insurance Portability and Accountability Act (HIPAA) regulations for breach notification. Compromised entities must notify the affected individuals and the Secretary of Health within 60 days of the breach. The organization may also have to notify media outlets, depending on the type of breach.
The regulatory environment surrounding the compromised data may require the implementation of long-term corrections. Both HIPAA and the PCI DSS will ask for monitoring and due diligence related to the security of their respective records. First priority goes to fixing the problems that led to the breach.
Companies that tie breaches back to their third-party vendor should work with that company to understand what they are doing to prevent a similar event from occurring in the future. They should also discuss what the vendor can do to better secure data transferred between the two entities.
If the breach occurred through wireless access to the network, companies should consider strengthening encryption for wireless access, issuing unique user IDs and making passwords for access more complex. Breaches that resulted from lost or stolen devices may necessitate companies create a policy on when to remotely wipe devices.
Changes should not stop with the immediate problem that needs to be addressed. Cybersecurity is an ongoing process. Periodic cyber risk assessments can help identify emerging sources of vulnerability before they become targets of an attack. They can also assist with prioritizing your cyber risk procedures. Not every piece of data needs to be secured on the same level; it is not cost effective or reasonable, so companies should identify the information that holds the most value for their company or is subject to regulatory requirements. Consider intellectual property, financial information, and other personally identifiable data and what can be done to secure these areas.