What Happens After Business Data Breaches?
As Experian starts wrapping up their cleanup from the 2017 data breach, many businesses are left wondering, “What if that happens to us?” With business data breaches increasing in frequency and the size of the impact they can have on the victims, it pays to be prepared.
A Troubling Trend
According to Statista, business data breaches have been increasing steadily since 2005. In 2005, there were 157 data breaches, with 66.9 million records exposed. This number leaped up to 781 data breaches a decade later, with 169.07 million records exposed.
These numbers represent a nearly 400% increase in frequency, and a 152% increase in the number of records that were exposed due to a breach.
Last year proved to be an exception to the rule in terms of frequency, but had an exponentially larger impact than any previous breach. The number dropped from 1,632 instances in 2017 to 1,244 in 2018, yet the number of records exposed increased from 197.61 million to 446.52 million.
What does this mean for business?
Hackers are getting better at extracting more data from a single source, and it’s our job to protect customers from the consequences.
What Happens After Business Data Breaches?
Once a breach has occurred, the business leaps into action to mitigate the damage. Once the door is open from a single breach, it can have a domino effect if vulnerabilities aren’t addressed quickly. Customer information that is still secure after the initial event can still be at risk.
The first step is organizing a team of experts. Cybersecurity experts, company administrators, and legal teams have to work together to ensure proper protocol is followed. Experts on security can help you evaluate the severity of the breach, as well as the vulnerability that allowed the hacker to access your system. Your legal team will help you understand the laws regarding fines, customer notification, and public response that you are expected to adhere to.
Next, the business will secure their building and network. This includes taking all affected networks offline, changing passwords and access codes, and even temporarily replacing hardware with different devices. Because it can be hard to find exactly how a hacker got into your records, a comprehensive sweep of all access points, both physical and digital, must be conducted.
Once the source and severity of the breach is fully understood, businesses are responsible for notifying affected parties. This includes law enforcement, individuals, and other businesses who may have sensitive information stored in your systems. The last rule particularly applies if you are a B2B company. Early notification for local law enforcement officials allows them to begin taking protective and preventive measures for those who may be vulnerable to identity theft in the aftermath of the breach.
If a business’ records include health information, there are additional steps that they have to follow, including notifying the Federal Trade Commission. In certain cases, a company may have a legal obligation to make a public media statement.
The FTC provides a notification checklist that states:
Clearly describe what you know about the compromise. Include:
- how it happened
- what information was taken
- how the thieves have used the information (if you know)
- what actions you have taken to remedy the situation
- what actions you are taking to protect individuals, such as offering free credit monitoring services
- how to reach the relevant contacts in your organization
When It Happens to You
The best offense is a good defense.
While security breaches are always a threat, you can reduce your risk by taking reasonable precautions. In addition to training your employees on preventing information exposure through sensible security measures, you can help prevent business data breaches by working with cybersecurity experts.
Verus designs, implements and supports networks that meet the highest standards for data, firewall and connectivity security. We deploy perimeter security tools primarily from Watchguard Technologies, Cisco and RSA.
For business in highly regulated industries, such as financial services and healthcare, Verus has years of experience designing networks that meet the most exacting data security compliance requirements.