The media is buzzing about the biggest data breach in SA. As these developments have shown, data breach can have a severe impact on your ability to do business, and it can tank your reputation.
Have you thought about how secure your company’s data is? Or what you would do if there was a data breach?
Would you be able to keep doing business?
If you haven’t thought about it yet, don’t panic! We’ve started thinking about it on your behalf.
Here are the steps that I think you should take if you have a security breach, whether it’s physical or digital:
Before the data breach
Take the time to create and think about what you should do if you have a security breach (now while you don’t have it). In the heat of the moment you often won’t make good decisions so create a policy and procedure where you have thought about ,and researched, what you should do. This the first thing the Regulator will ask for.
But there is no point in just having a policy and procedure without making it part of your company’s way of doing business. The law (and common business sense) requires that you train your staff. You need to make sure that your staff knows how to recognise a breach, who to report it to and how to preserve evidence. Check out this policy training tool our friends at Compliance Online came up with.
Make sure your staff understand that they won’t get in trouble if there is a breach, unless they are stealing the information or if they know of a breach and they don’t report it. It is important to create an environment that fosters transparency. If they think they will get fired, they will keep quiet about the breach.
Let’s be realistic. Chances are that a breach will happen. So what then?
Just get the facts. You need to know when, who, how many, where, is the breach finished (it could still be happening), what can you do to fix it, what can other people do to fix it?
Tell a friend
You may not be believed if it is just you (maybe YOU did it) so call someone and get them to witness it too.
Decide on who you are going to tell and when
For example, you may notify the Information Regulator immediately, but you might delay notifying your clients as the security flaw still exists and you don’t want other people to exploit it (until you have fixed it).
Don’t ignore it
No-one trusts someone who gets ‘outed’. If you know of the breach you need to be upfront about it. Keeping it secret normally does way more reputational harm, than letting everyone know as soon as you can (and waiting also increases the chances that your clients suffer more harm).
Learn from the experience. The only way of doing that is to get to the root cause of the breach. Don’t just ask what happened. Be sure to get to how and why it happened. Have a look at this analysis of the Equifax breach in America for a handy case study.
- Do a debriefing session. What could you have done better? Is there a way you should have reacted? Should it be mandatory to contact a public relations firm if this happens? Could you contact everyone in an emergency?
- Go back to your policy and change it, now that you have learnt something new. If necessary change team members and communication methods.
- Go back to your analysis of your personal information and how you secure Is there something you need to change?
- If you did not pick up the security breach (for example if your client told you about it) how do you avoid that in the future? What steps can you take to make sure you know about a security breach sooner?
Need more help? Get in touch!