In these days of GDPR, how you respond to, and learn from, a security breach is crucial, according to Paolo Sartori, managing director at TransWorldCom.
Since GDPR came into place last May, data breaches have been at the forefront of many companies’ focus. Breaching GDPR could cost a company vast sums if the appropriate actions are not taken following a breach. The fine for breaking these rules currently stands at 20 million euros or 4% of the company’s revenue, whichever is higher.
Whether carried out by a cyber-criminal distributing malware or an employee mistakenly sending out email addresses, data breaches are becoming increasingly common. What many companies are unaware of is the steps that they need to take once they have fallen victim to a breach.
Here are some recommendations that all businesses should follow should they find themselves the victim of a data breach:
What’s key when it comes to data protection is education. A business is only as strong as its weakest link and data security education needs to be at a high standard across a business. This stands true for both avoiding a breach and for addressing it. There are five important tasks that need to be completed following a data breach in order to remain compliant with GDPR legislation.
Firstly, the breach needs to be located and stopped. Similar to finding the leak that leads to a flood, when it comes to a data breach you need to find the source. This could be due to the fault of an employee or a peripheral device that has been penetrated by hackers.
It then needs to be understood how the breach occurred and the scale of the breach. Due to increasingly creative cyber-attack methods, a data breach can happen in a variety of ways. Whether it is via a phishing email that has been mistakenly opened, malware that has been downloaded or a simple GDPR breach where a client’s details are mistakenly sent out, it is important to identify where and how the breach took place.
Thirdly, the business needs to notify all those who may have been affected by the breach, take advice from compliance and, where necessary, the ICO. As a company, you have a duty of care to any and all clients or employees who have been affected by a data breach. For example, if sensitive information has been sent out whether it is something relatively innocent like a list of email addresses or something more serious like banking details, the company has a duty to notify every individual on what information has been potentially leaked.
Following this, internal security procedures need to be looked at and the current estate needs to be audited for existing and further vulnerabilities. Without going through your data systems meticulously after a data breach, you could leave yourself open to more attacks from cyber-criminals, especially if the initial data breach attracts any publicity. Going through your network’s defences should be a routine activity for any company’s IT department, however it becomes even more pertinent after a breach has taken place.
Finally, the company needs to change and update the processes for the preparation, control and recovery from future attacks. As with every aspect of business, it is vital that mistakes are learnt from. This could take the form of installing new anti-virus software and firewall security or it could be a case of educating all employees on how to ensure that they keep their data safe. In the era of frequent hacks, you can now hire professional hackers to test your cyber-security by attempting to penetrate your system. This may sound extreme, but it could be the difference between a safe data system and a 20 million euro fine.