Thu, Oct 8, 2015

Are You Overlooking Risks in Data Breach Response?

Three Mistakes That Have the Potential to Hurt Your Company More Than the Data Breach Itself

When it comes to incident and data breach response, it’s critical to identify the potential risks associated with a particular breach. Misapprehending certain risks can have a definite impact on your bottom line. Your organization must look beyond mere compliance fulfillment to effectively mitigate the risks associated with a breach, and, in some cases, organizations need to break the cycle of ineffective data breach response.

Certainly any organization dealing with a data breach must evaluate the financial risks – the cost of a breach can be substantial, and it’s not always proportional to the volume of data that is breached, but cyber security assessment and remediation costs must also be factored in to avoid having a breach incident become a repeat performance. Moreover, reputational risk is also a significant concern because it can have a long-term effect on the growth potential of the company – handling any breach in a manner that creates confidence in your constituents is critical. Below are three simple mistakes that are easy for an organization to make where the result could be exponential increase to their data breach response risk profile.

Mistake #1: Underestimating the risk of harm perceived by your impacted constituents.

No company wants to be in a position where public sentiment questions their ability to protect what matters most: their customers. Your affected population’s relationship to the data that was lost, in addition to their relationship to your organization, can have a direct impact on the possibility of class action lawsuits, customer turnover and abandonment, and overall damage to your brand from unfavorable media coverage. If that relationship is an extremely sensitive one (such as the loss of highly sensitive medical information) or if they are a historically engaged group (such as employees or high-net-worth stakeholders), this factor could mean additional risk for your organization.

Mistake #2: Failing to address the root cause of the breach.

Kroll’s cyber consultants have provided remediation feedback after an incident response investigation to countless organizations, so those companies can remedy the vulnerability that caused the data breach incident. Unfortunately, some organizations choose to kick the problem further down the road, assuming they have more time or budget to address it later; and in some cases, the same vulnerability results in yet another breach. In this situation, not only does the organization have to deal with remediating a subsequent breach, it could be opening up the company to further corrective action from regulatory agencies, particularly if the breach is caused by the same vulnerability the company previously failed to address.

Mistake #3: Not having a data breach response consultant in place.

Depending upon the scope of the breach and urgency of the response, you may be looking for ways to shave precious time off an already time-sensitive incident response process. Putting t your company in the position of going through a new supplier contracting process before the incident response can begin, particularly in the middle of a breach incident requiring consumer notification, can eat up that already precious time. There is a history of regulatory action taken against companies that moved too slowly in notifying their constituents in the wake of a breach – and in many cases, this happened because the company simply wasn’t prepared in advance to handle the size or scope of the event. Establishing your legal counsel cyber incident and breach service provider relationships in advance of any security incident can smooth the process and facilitate a timely, efficient incident response process.

In short, companies can do much to avoid exacerbating unintended consequences by performing some important prep work ahead of time: understand the needs of your constituent population, have a security risk assessment process in place and follow through with recommendations, and put in a bit of legwork to build relationships with incident response professional that will help make your breach response process the best it can be.

By Kroll Editorial Team

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.