[BreachExchange] Companies need to plan for handling a cybersecurity breach

[Audrey McNeil]

http://www.theglobeandmail.com/report-on-business/rob-
commentary/companies-need-to-plan-for-handling-a-cybersecurity-breach/
article34436908/

Our shift to a digital society has seen the emergence of a new kind of
crime: stealing data and attacking company networks, whether for financial
gain, to send a political message, or sometimes simply to prove a point.
Not surprisingly, this harsh reality of our digital economy has made
cybersecurity a significant priority for organizations, senior management
teams and corporate boards across Canada and the world.

The financial costs to defend against cybercrimes are not insignificant:
According to Cybersecurity Ventures, it is expected that companies will
spend $1-trillion (U.S.) cumulatively over the next five years on
cybersecurity products and services. However, spending to defend against
the crime doesn’t address the reputational damage a data breach can have on
an organization, or the longer-term revenue implications that result if in
fact a data breach occurs.

A January, 2017, Leger survey commissioned by corporate reputation
consultancy FleishmanHillard showed that nine in 10 Canadians agree that if
an organization or business were to have lost, been a victim of theft or
mistakenly shared personal information, it would lose significant trust and
credibility with Canadian consumers. Moreover, 82 per cent of Canadians say
that if this were to happen, they would take their business to a competitor.

So, while it’s true that Canadian companies are increasingly preparing for
the financial, legal and technical implications of a breach, many continue
to overlook developing a communications strategy, which is critical in the
early hours and days of a breach when it comes to protecting reputation
over the short and long term.

>From a privacy and legal perspective, requirements are about to change
significantly for companies in Canada. In the very near term, the federal
government will be rolling out regulations that implement key provisions to
the Digital Privacy Act that relate to breach reporting, notification and
record keeping. In other words, corporate Canada will be required to
communicate much more frequently with the Office of the Privacy
Commissioner on breaches, which will in turn have the right to request and
review newly required corporate security-breach logs at any time. Companies
will also be required to alert affected individuals in a timely manner
where the data breach could result in “significant harm,” as well as any
organizations, such as credit bureaus, that can help reduce risks for
individuals.

What this reinforces is that data incidents are not legal, IT or
communications problems exclusively. They affect the entire business and
require a multidisciplinary team comprising senior leadership, IT,
operations, communications, legal, HR and managers responsible for
stakeholder audiences such as investors, customers and business partners.

Ideally, the team should work together before a breach occurs to develop a
cyberresponse plan comprising a communications strategy that works in
conjunction with an IT-response plan. Collaboration avoids the one-sided
approach often seen when organizations work in silos resulting in a
disjointed, inconsistent and delayed response to issues or crises.

In thinking through threats to the business, the team should identify
organization- and industry-specific risk factors. For instance, a retailer
will tend to focus on breaches related to payments and customer
information, while a public utility will focus on an interruption of
service. Beyond the immediate impact of a breach, the team should consider
the longer-term consequences of, for example, the loss of intellectual
property, employee or customer records.

Once the risks are established, it is imperative to align how the
organization will communicate with stakeholders. Timing should take into
account IT security and forensics timeframes, as well as determining broad
thresholds for notification to the Commissioner and affected individuals.
This will reduce the need for real time decision making in an actual
crisis, as well as inappropriate responses.

Finally, ensure that your organization’s first attempt at managing a
cybersecurity crisis is not during the real thing. Practising in a
controlled setting can identify flaws and gaps in the process because what
makes sense in the plan does not always work in practise, and personalities
can change in the pressure cooker.

Just as there is no fail-safe method to preventing a cyberincident, there
is no foolproof way to managing an organization’s reputation in the midst
of one. However, recognizing the importance and value of preparation more
often than not goes a long way toward protecting the reputation that your
organization has worked long and hard to build.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170327/f7c43aac/attachment.html>