Photo: flickr.com

Over the past few years, the world has seen some big names across various industries suffer a data breach. It isn’t just the big companies that are targeted or suffering. Every year, tens of millions of individuals find that a breach within their bank or credit card company has potentially compromised their sensitive information. Each breach costs an average of five million dollars to resolve, so data security issues have the potential to tank your business. With so many unique and diverse risks in the area of tech and cybercrime, it is more important than ever to formulate a strong risk management program to address potential liabilities before they occur.

Manage Diverse Risks

The industry you serve will have a unique set of risk factors that depend on technical circumstances, regulatory demands, and customer needs. Identifying what these risk factors are is the first step in reducing your susceptibility to a breach. A plan of action is then derived that implements a rapid response protocol planning for the contingencies that may occur as a result of regulatory action or consumer litigation claims. You must also be able to distinguish between a legally-defined breach and what constitutes an acceptable response (usually taking into account state, federal or industry expectations).

Complete a Risk and Security Assessment

The cost to complete a risk assessment each year is less than one percent of what it costs your company if it suffered a data breach. This assessment will identify what data your company has, how the data is used, and how it is protected. This is the perspective you need to understand your breach risk profile. The assessment will scour your IT systems for security weaknesses, and let you know of both the regulatory and legal requirements you may not have covered in your existing protection processes or systems.

Create a Master Plan

Planning ahead will significantly reduce the financial, reputational and legal liabilities of data operations. Your plan should include a comprehensive assessment of the actual privacy incident as well as an appropriate breach response. Your plan should have an easy-to-follow plan to address the circumstances behind the breach, the type of data disclosed and how it was disclosed, any applicable regulatory concerns and the level of potential harm it causes to any affected individuals. This is where knowing the applicability of the term breach is important. Data that is found to have undergone de-duplication and sold to the Dark Web is considered a notifiable breach, whereas a laptop with encrypted data that was stolen but without the access key may fall under a “safe harbor“ exclusion. Malicious intent or accidental breaches also have to be factored into the plan.

Develop a Team and Continually Modify Processes

You need to have a specialized team in place long before a breach occurs. Vendor partners that can provide your company forensic analysis services, identity and protection monitoring, call centers and mailing services need to be on retainer, so to speak, so you can have your notification and breach response process happening quickly. Your team should also be following any changes in technologies or regulations to make sure your company is both up-to-date on software or equipment and in compliance with laws. Pay special attention to areas of BYOD and the use of social media sites by employees.

Rely on a Forensics Investigation

If a breach is discovered, hire a neutral third party to figure out what kind of data was compromised, how it was exposed, how many will be affected and if the data has been encrypted or not. You need documentation for your defensive position if you have to face a class-action lawsuit or a regulatory investigation. The report they issue will let you know if the incident is a notifiable breach where your response plan must be put in motion.

Some cybersecurity experts believe it is not a question of “if“ but “when“ your company will face an issue with cybercrime such as a hack or a breach. The best way to reduce this risk is through a strong, proactive plan that counters all areas of liability identified during a thorough risk assessment audit.