Best practices for reducing the cost of a data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.securityinfowatch.com/article/11219010/steps-organizations-can-take-to-reduce-the-cost-of-a-data-breach

There are two cost elements to consider when it comes to data breaches: the
upfront investment to prevent a data breach including technologies, staff
time, and other resources and post-breach management when a data breach
does occur. The latter is the key in possibly saving your company from
significant financial losses.

Because frankly, a data breach will occur at some point to companies both
large and small.  In fact, any organization can be a target with most
notably the financial, healthcare and government sectors being hit hardest.
 Major breaches can affect thousands to millions of people, which can
translate into thousands and millions dollars lost for your company if the
incident is not handled properly.

Where to Start

A recent Ponemon Institute report shows that organizations can greatly
reduce the cost of a data breach by having a strong IT security posture, a
chief information security officer (CISO) and an incident response plan.

Unfortunately, many companies are not as cyber secure as they should be.
 The study, “Is Your Company Ready for a Big Data Breach?,” showed
organizations are not employing essential procedures such as requiring
mobile devices to be tested for security prior to connecting to networks or
enterprise systems, improving access and authentication practices to make
sure that only the appropriate employees and contractors have access to its
information systems, and  encrypting sensitive or confidential personal and
business information stored on computers, among other protocols.

Besides the technology side of it, a company should assess its personnel
and employ a role to the level of a CISO as well as appropriate support
staff.  According to the same study, only 29 percent of respondents say
their organization has a department or function designated to manage data
breach incidents and of the respondents who do, only 32 percent employ a
CISO.

Lastly, having an incident response plan is crucial.  A plan can help you
act quickly if a data breach occurs and acting quickly can help to prevent
further data loss, significant fines and costly customer backlash. The plan
should include identifying who is the incident response team lead and
members of the team, what their roles would be in the wake of a
cyberattack, and what outside partners should be contacted, among other
steps. For a useful tool to get started on your plan, download a free Data
Breach Resolution Response Guide.

Key Financial Factors

There are elements of a data breach response plan that, if not executed
properly, will directly affect your bottom line.  These factors include
navigating the legal landscape and communication to affected parties and
the media, which can make or break your reputation.  The study, “Reputation
Impact of a Data Breach,” shows reputation is noted as one of an
organization’s most important and valuable assets.  The value of that
reputation based on an estimate among nearly 850 executives surveyed was
determined to be an average of $1.5 billion.  With these elements in mind,
the following are additional key tips to mitigate the financial impact of a
data breach:

Engage outside counsel – Enlisting an outside attorney is highly
recommended. No single federal law or regulation governs the security of
all types of sensitive personal information. As a result, determining which
federal law, regulation or guidance is applicable depends, in part, on the
entity or sector that collected the information and the type of information
collected and regulated. Unless internal resources are knowledgeable with
all current laws and legislations, it is best to engage legal counsel with
expertise in data breaches to help navigate through this challenging
landscape to avoid regulatory fines and potential class-action lawsuits.

Communicate to customers – Companies should put customers at the center of
decision making following a data breach. This focus means quick and clear
communication about the breach and providing some sort of remedy, including
call centers where consumers can voice their concerns and credit monitoring
if financial, health or other highly sensitive information is lost.  A
Carnegie Mellon study, “Empirical Analysis of Data Breach Litigation,”
found that providing credit monitoring to victims after a data breach makes
a company’s risk of being sued six times lower than if they do nothing –
even in cases when a victim has suffered financial harm as a result of the
breach.  If you satisfy your customers, they will likely not take their
business elsewhere.

Consider cyber insurance – With the increasing cost and volume of data
breaches, cyber security is quickly moving from being considered by
business leaders as a purely technical issue to a larger business risk.
 Cyber insurance coverage can include forensic investigation, outside
consultants and business interruption coverage that allows a company to
receive payment reimbursement for expenses incurred due to loss of business
if a data breach incident prevents the company from operating.  It also
helps a company become better prepared overall.  According to a Ponemon
Institute study, “Managing Cyber Security as a Business Risk: Cyber
Insurance in the Digital Age,” 62 percent of respondents surveyed believe
the insurance has made the company better prepared to deal with security
threats.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.