How safe is your business from the threat of a cyber attack and what measures, if any, do you have in place when worse comes to worse?
Dealing with a data breach can be daunting and confusing for a small business. It'll be useful for you to know that you can prepare for this worse case scenario. Creating a data breach management plan is a good starting point. But what does that mean? It's a document that outlines the steps that you'll take when you have a data breach.
How do I create a data management plan? The Information Commissioners Office is the authority that oversees all data issues in the UK. They suggest that a data management plan should include the following information:
1. Containment and recovery - identify who'll investigate a data breach and who needs to assist in the containment, for example your IT person, as he or she can change the access codes or take down a section of your website. Can you recover any of the losses or limit the damage by for example using a back up system to restore lost or damaged data?
2. Assessment of ongoing risk - beyond the immediate containment you'll have to assess the potential impact of the breach for individuals, if it's serious and substantial and how likely they are to happen. Are there risks for individuals physical safety or reputation, of financial loss or a combination of these and other aspects of their life? These questions will help you determine your next steps.
3. Notification of breach - informing individuals about the breach will enable them to take steps to protect themselves and sometimes there may be a need to inform third parties for example the police, insurers, a governing body, banks and credit card companies. Certain organisations have to inform the Information Commissioner in the event of a breach. Further details on this can be found here: https://ico.org.uk/for-organisations/guide-to-pecr/security-of-services. There must be a proportionate and appropriate response notification - informing all 50 000 of your customer base if only 500 are affected, is likely to be disproportionate.
4. Evaluation and response - evaluate the effectiveness of your response and keep your management plan up to date with any changes, for example if a responsible staff member leaves. As part of your evaluation identify where the biggest risk lies, for example keeping sensitive personal information, and establish where your security weak points are and address them.
If you have a plan on how to act in event of a data breach, it takes away the stress and possible confusion that you might otherwise have faced.
Here's a link to the Information Commissioners free guidance on data security management:
Last year 74% of small businesses in the UK suffered a data security breach, according to the Information Security Breaches Survey 2015 by HM Government. So if it can happen to the likes of TalkTalk and Sony Pictures (estimated losses of £60m and £24m respectively) then it could happen to your business.