Nowadays, data breaches are big news and increasingly common, and they can result in huge fines and irreparable damage to a brand. How an organisation deals with the breach is what really defines how big an impact it has.
According to research, 48 per cent of data security breaches at small businesses are the result of acts of malicious intent; the rest can be attributed to system/human error.
It is a lot easier to be responsive in the event of a breach if you are fully aware of what data your organisation holds, where it is held, and who should have access to it.
What if your business suffers a security breach?
Any data breach, regardless of its cause or size, needs to be addressed immediately. The first thing that needs to happen – long before any internal investigation begins – is to establish precisely what data has been compromised and how many individuals it will affect. Knowing exactly what the situation is at an early stage will allow for all communications to be clear and concise.
There are numerous endpoint security solutions available, so if you wish to know more about which best suits your needs, consider taking a look at a specialist website such as promisec.com.
Making it public
Whilst it is important to act quickly to reassure customers and the public, it is vital that there is no misinformation; this means only making the details of the breach available once they are fully known and the implications are understood. Any public announcements should include details of what type of data has been compromised, how many people it affects, advice on preventing identity fraud that might occur, and details of how you plan to minimise the impact on your customers.
Reporting data breaches
Currently, there is no legal requirement to notify the Information Commissioner’s Office (ICO) or even the individuals affected by any data security breach. However, the General Data Protection Regulation (GDPR) that will become a part of EU law in May 2018 states that any organisation that experiences a data breach must report it to the regulator within 72 hours of the moment they become aware of it. It also states that the organisation must notify those affected if it is likely to impact their rights and/or freedoms.