How NOT to handle a data breach
Of the high-profile data breaches that have taken place over the last 12 months, Equifax may take the cake for dropping the ball. Critics have been harsh, and perhaps rightly so. To some, it seems as though the American credit bureau did everything wrong – from the six-week wait to go public to the fact that three executives sold off millions of dollars worth of shares in the days following the attack.
There is a silver lining though – the breach was so poorly handled that the rest of us have been able to watch and learn. So what did we learn?
1. Speed is everything
When a cybersecurity breach like this happens, you need to be across it immediately.That said, there is some sense in taking a short period of time to take stock of the damage, repair what you can and get some clarity around the initial attack.
Supposedly this is what Equifax was doing all that time, and to be fair, for an incident of this size the period of taking stock may have been quite lengthy. The flipside of this is that leaving it too long can expose your data to further harm, and violate laws that require timely notification to parties likely to be harmed. The Office of the Australian Information Commissioner (OAIC) is putting a set of guidelines into place for breach notifications. These will become mandatory in February 2018 and will affect all businesses with the need to keep information secure.
2. Transparency is paramount
Following the breach going public, Equifax attempted damage control by setting up a website where you could enter details and find out whether your personal information was still secure. Unfortunately, the service didn't work. Whatever the intention behind this move was, it ultimately drove the wedge between Equifax and the public even further. No answers were given either way, and consumers were left wondering if they had been exposed or not – the same issue they faced before the attempted damage control.
People have a right to know if their information has been accessed. If you find yourself facing a data breach, half-measures and empty promises will not help you. You need to be upfront.
3. A solution shouldn't dig you a deeper hole
In the wake of the attacks, Equifax made an offer to the American public to provide free credit monitoring services. This service would monitor credit reports for signs of fraud, and would typically be an excellent service to have if you were concerned that faceless cyber criminals had your financial information.
The issue was, the service was directed at those who were directly affected, and the process for signing up to this service required that customers sign a waiver preventing them from taking legal action. This was a move by the company to protect itself disguised as a solution for those with concerns about their information. Needless to say, this "solution" enraged the public even further.
While you will need to take responsibility for a data breach if it happens to your business, your first priority should be protecting those who are vulnerable.
How can you avoid making these mistakes?
We've said it before, and we'll say it again: Prevention is the best medicine. While the Equifax hack supposedly happened over a period of five months, it was too late to do anything by the time it had been caught. With a managed security service, you're sensitive data will be watched around the clock and breaches can be dealt with as soon as they appear. Further, a managed security provider can help you put into place a compliant response plan, to ensure that even if the worst happens, you'll come out of it looking a lot better than Equifax.
For more information about how LOOKUP.COM can keep cyber criminals out of your business, get in touch with us today.