“There are only two types of companies: those that have been hacked, and those that will be.” – Robert Mueller, FBI Director, 2001-2013
A hacker attack takes place at least every 39 seconds, according to a study by the University of Maryland. The root cause of approximately 95% of these data breaches is human error, many of which have an internal origin. Any activity including human intervention contains the risk of a human error. At the same time, increased reliance on cloud storage leaves a company vulnerable to external attacks. The unmistakable truth is that a data breach can happen to any organization, at any time.
From the individual’s perspective a data breach of for example medical history or other sensitive personal information may lead to consequences that are irreversible social and financial consequences that cannot be remedied. In certain situations, a breach of personal information can even be life–threatening, for example the ability to locate or identify persons in a witness protection program. Consequences of a data breach can be also individual’s reduced trust towards institutions, feeling of lost control over one’s personal information or feeling of resentment.
In the worst-case scenario, a serious personal data breach or compliance violation may threaten the existence of an organization, from both a financial and customer–relations standpoint. In fact, according to a National Cyber Security Alliance study, 60 percent of small and mid-sized businesses that are hacked go out of business within six months. This reality hit home for a Finnish Psychotherapy Center called Vastaamo, whose recent data breach exposed sensitive patient data and pushed them eventually into bankruptcy. The impact of this breach was compounded by the fact that individual’s personal lives were adversely affected.
Data breach is a risk that each organization should take seriously. Downplaying the great potential and seriousness of a data breach serves no one. It is this stark reality that places the proper emphasis on these challenging circumstances by heightening awareness and elevating the importance and need for preparedness. So, for as challenging as a data breach situation may be, it is important to understand and progress thoughtfully through the four phases of data breach management, which are:
Prevention of data breaches involves, assessing what kind of information your organization has, identifying risks and weaknesses regarding personal data protection and training your employees to be aware of the possible privacy risks related to their work tasks. When it is reality that a personal data breach cannot be fully avoided, it recommended to build preparedness for such crisis situations. Containing the breach involves implementing measure to immediately stop the leak, threat or attack. The assessment phase involves collecting the facts what exactly has happened, what information was compromised and evaluating the risk to the individuals affected. Depending on the estimated risk to the individual, the relevant supervisory authority and the data subjects must be notified.
What else could an organization do in order to avoid data breaches? Smaller incidents and close call situations are advised to be recorded and analysed regularly to detect possible vulnerabilities and systematical errors. Incidents taken place at other organizations should be also considered as learning opportunities. The feed from internal and external incidents is recommended to be evaluated in the organization’s risk management procedures so that relevant risks for the organization are identified, assessed and mitigated.
Preparation for a data breach situation through simulations, tabletop exercises or drills is a method for practicing efficient and correct operational handling of data breaches. Based on our experience at Privaon, these exercises give confident to the key persons taking part to the incident handling, help to memorize the protocol and ensure that the organization is able respond with a required speed when the situation demands it. Practical trainings also increase the organization’s awareness of data protection risks in other words what can happen and therefore serve the purpose of avoiding unwanted events.
In the upcoming Privaon webinar Data Breaches: From Panic to Promise, we look at these four phases, offering a guide through the actions to take when the crisis hits your organization, including:
The webinar will focus on the powerful, proactive combination of concrete training, coupled with conceptual awareness.