Breaches in cyber security can cause considerable financial and reputational damage to organisations of any size and industry. Hackers have the aim of gaining unauthorised access to your networks in order to steal or damage the data they find. From there, they can sell it on the ever-growing cybercrime 'black market' to make a profit from the valuable information.
The cybercrime scene has earnt an impressive reputation, with profits now fetching in more than the illegal drugs trade. This tempting outcome, teamed with the accessibility growing through online 'how-to' guides means that the dark web can attract as many as 80,000 users at the same time, highlighting that it isn't a case of if a hacker will target you, but more a question of when.
This isn't to scare you, but more to stress the importance of having an effective protocol in place should a breach occur. By acting fast and efficiently, you're not only reducing the impact it has on your organisation, but also abiding by the new regulations brought in by the GDPR in 2018 to avoid hefty fines that could make or break your business.
The Effects of a Data Breach
Data breaches can happen daily to any business, and with our dependence on technology growing, they aren't set to fade any time soon. One recent example was in the form of Edmodo, the popular learning site used by schools up and down the country.
The breach occurred in the May 2017, when it was revealed that 77 million user account details were stolen and sold on the dark web. Believed to be the largest breach of children's data ever recorded, the usernames and email addresses of both children and their teachers were exposed. The site became aware of the breach on 10th May, and notified users 2 days later, showing how timing is everything in these sorts of situations.
The EU's GDPR and the UK's third generation Data Protection Act 2018 (DPA 2018) both aim to modernise data protection laws by considering the increased need strong levels of cyber security due to the growing crime field.
GDPR stipulates that all parties involved must take necessary measures to ensure against unlawful and unauthorised data processing practices, one prominent example being data breaches. Organisations that process their data digitally, which more and more companies do nowadays, have to carry out risk assessments to evaluate and mitigate the risk of a cyber security breach. Examples of measures they're expected to take could be encryption (converting data into codes), cyber security training so that all employees know what to look out for and how to respond, up-to-date antivirus software, but all in all, having an effective protocol on standby so that everyone knows what to do if a breach should occur. By doing so, the company is more likely to limit the impact of a breach, whether that is financial impact or reputational.
The conversation goes between two parties, controllers and processors. The controllers deal with customers such as a high-street service, and the processors are external IT companies hired by controllers to deal with the data first hand. The controller has to make sure the processors comply with data protection laws by receiving up-to-date records.
If processors fail to comply by the GDPR, they must let their controller know straight away in order to maintain a strong level of communication from both sides. The controller is then up against a 72-hour limit to let the supervisors know what is going on. In doing so, the problems can be dealt with quickly and efficiently to try and limit the damage done, as well as avoiding potential fines you could receive.
Efficient Breach Protocol
The regulations require that the organisation notifies the authorities within the 72-hour deadline, supplying the following information:
- The nature of the breach – What has been lost, how much has been lost and where it has been lost from
- A contact point – Make sure you maintain strong connections through passing on the information of the data protection officer
- Consequences – What could be the result of the breach
- What happens next – How you feel you can address the breach to limit the effects
Once this is done, the customers need to be informed if the breach is "likely to result in a high risk to their rights and freedoms". By combatting the problem and contacting authorities, you are dealing with the problem well, but by actually keeping your customers in the loop, you are going the extra mile in facing the problem.
Notifying the customer should involve:
- Including a contact point, most likely the data protection officer, should they want more information
- Explain how the breach could affect them personally
- How you are planning on dealing with the breach
As you can see, an effective protocol is all about communication. By gaining all of the information needed as fast as possible, and contacting the right people about it within the time limit, you are not only following regulations to avoid fines, but effectively dealing with the problem head on so as to reduce the impact it has on the company in the long term.