If your company doesn’t have a cybersecurity incident response plan, here are some statistics to consider from the Ponemon Institute’s 2018 Cost of a Data Breach Study:

  • Last year, 28% of companies suffered a data breach.
  • The average cost of a breach (in the U.S.) was nearly $8 million.
  • Those that contained the breach within 30 days saved more than $1 million compared to those that took longer.
  • Organizations with incident response plans save, on average, more than $340,000 per breach.

While we all work to prevent data breaches, they are an unfortunate fact of life, regardless of an organization’s size or industry. According to the Breach Level Index, 18.5 million records were lost or stolen every day during the first half of 2018. Dealing with a breach is something all companies need to be prepared for, especially those that handle financial, medical and other sensitive information.

Michael Estevez, managing director for public relations company Burson, Cohn & Wolfe, and Jennifer Rathburn, a partner with law firm Foley & Lardner LLP and co-founder of the Midwest Cybersecurity Alliance, explained the steps that organizations should take when responding to a data breach  at the 2018 BraveIT conference.

been-hacked-now-what-braveit-session-2018According to Estevez and Rathburn, every organization needs to have an incident response plan to deal with a potential data breach. The chaotic period immediately after a break-in is the worst time to start planning a strategy for handling legal issues, media relations, IT security and customer support.  A detailed plan should spell out the duties of key employees, so they aren’t caught unprepared.  

Here are 4 steps to be prepared to handle the aftermath of a data breach:

1. Recruit a cybersecurity incident response team

Data breaches impact not only IT and cybersecurity but also legal, PR, HR, and, often, finance and risk management. An incident response plan must address all their concerns, so recruit senior staff from each of these areas for an incident response team.  “It’s important to have a multi-disciplinary approach and to understand what each other’s role is,” said Rathburn.

2. Create templates for crisis communications

Communications will be a major aspect of the response. That includes social media, email and verbal communications with customers, investors, employees, journalists, law enforcement, auditors, and, possibly, local groups and politicians.  Who you will need to contact and what you’ll say will depend largely on the type and amount of data stolen, as well as your industry, said Estevez. He recommends creating communications templates specific to your organization for a few basic categories of breaches, “so you don’t grind to stop when it happens.”

3. Run “live” exercises of the incident response plan

Create a few data breach scenarios and have the team act out their roles. These exercises can be informal, conducted over a conference table, or highly realistic simulations. Estevez explained that his firm likes to run live simulations. “We have people pretending to be journalists and upset customers slamming the company on Twitter,” he said. “It develops muscle memory, so if it does occur, you’ve already practiced gone through the motions.”

4. Evaluate incident response consultants

In-house staff will struggle to take on crisis response duties on top of their regular responsibilities. Retaining outside PR, legal or cybersecurity/forensics help alleviate the in-house burden as well as provide expertise you may not have on staff. According to Ponemon’s research, 35% of organizations hire outside consultants for incident response, with forensics investigators being the most common (48%). Select your consultants before a crisis so that they’ll have time to learn your organization and discuss strategies. You don’t want to be frantically searching Google for lawyers and public relations firms the day after the breach. 

Watch the full session and more from BraveIT

Rathburn and Estevez also provided in-depth advice on what steps to take—and what to avoid—immediately after a breach is discovered. To learn more, watch their full session, Been Hacked? Now What?, from the 2018 BraveIT conference. To watch more sessions from BraveIT 2018 and register for 2019 in New York City, visit BraveIT.

Subscribe to the TierPoint blog We'll send you a link to new blog posts whenever we publish, usually once a week.