Fifty-six percent of organizations experienced a data breach involving more than 1,000 records over the past two years, and of those, 37 percent occurred two to three times and 39 percent were global in scope, according to Experian. In 2017 in particular, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone.
In an effort to help businesses prepare for data breach response and recovery, Experian launched its new Data Breach Response Guide last month to provide in-depth strategy and tactics on how to prepare and manage incidents. A few areas for improvement include actually practicing the data breach response plan and therefore, feeling confident the company can handle an incident successfully. In our 2018 annual preparedness study, only 49% of companies said their ability to respond to data breaches is/would be effective. One of the reasons may be that most boards of directors and C-suite executives are not actively involved in the data breach prep process, nor are they informed about how they should respond to an incident.
Businesses should conduct an audit of every component of a response plan. Security leaders should also assess whether external partners are meeting the company’s data protection standards and are up-to-date on new legislation. For example, healthcare entities should guarantee that business associate agreements (BAAs) are in place to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements. Additionally, vendors should maintain a written security program that covers their company’s data. Realistically, an organization could have up to 10 different external vendors involved in a data breach response, so keeping this circle secure is important.
It’s very important that a data breach response plan be updated and practiced annually. Not only that – it should also have buy-in from all of the key personnel and departments involved. A data breach response is a company-wide effort. To make sure the thread runs across the organization, there should be a representative from the key departments on the official response team.
To practice the plan, businesses should dedicate half of a day to conduct a simulation exercise. For an effective drill, businesses should consider engaging an outside partner to facilitate and moderate. It’s also a good idea to include external partners in a drill, such as legal counsel and a data breach resolution provider.
When businesses conduct a drill, they should see if they can address different scenarios that the organization could face. These scenarios should be pertinent to the industry, the type of data collected and the way the business’ IT infrastructure is set up. However, not every scenario will take place in a realistic time frame. A true response will likely take weeks to address, not hours, so there is a degree of imagination. Companies will still have the desired outcome of honing response skills and testing key decision-making protocol.