What's Your Budget?
- 1 Step One: Find Out What’s Been Affected And How Much Data Has Been Accessed
- 2 Step Two: Try To Identify How The Breach Happened And Who Was Responsible
- 3 Step Three: Notify The Relevant Authorities
- 4 Step Four: Determine Whether You Need To Notify Your Customers/Clients
- 5 Step Five: Revisit Your Security Systems
- 6 Step Six: Retrain All Staff On Security Best Practises
You can implement the best security systems and ensure you’re completely GDPR complaint, but sadly that doesn’t mean you’re completely protected from a data breach. Cybercriminals are very clever and they’re always finding new ways to hack into systems. But falling victim to a breach is extremely inconvenient for any business, of any size, and dealing with the problem as quickly and effectively as possible is the key.
Hopefully you have a process in place for reporting security breaches, particularly as GDPR states that you must report any security breaches to the correct authorities within 72 hours of you becoming aware of the problem. That said, even with a strong system in place it can feel very daunting should you actually face a breach in security. So, if whether you’ve already been affected by a hacker or you just want to feel more prepared should the situation ever arise, here’s the six steps you need to follow when dealing with a data breach in your company.
Step One: Find Out What’s Been Affected And How Much Data Has Been Accessed
Your first step needs to be analysing the situation to see what’s actually happened. You’ll need to look at how many files have been corrupted or stolen and try to gain some sense of how big the cyberattack was. This will give you a better indication of how you need to react and whether or not you’re going to have to notify your customers, client or vendors.
Step Two: Try To Identify How The Breach Happened And Who Was Responsible
Once you’re aware of a data breach you need to try and identify how it was made possible and who was involved. This is so you can put measures in place to stop the breach from escalating any further. Unfortunately, there are a number of ways that cybercriminals can get into your systems and this can make it tricky to find the cause. A lot of the time it’s down to human error, so it’s a good idea to speak to staff and see if anyone has received suspicious phishing emails or has shared their password with someone they don’t know. Alternatively, look into your suppliers and vendors to make sure that the hacker originally gain access through their systems instead of your own.
Speaking to staff and checking through your systems for any unusual behaviour is an important step. This should help you to find the source of the hacking so you can act quickly and stop any more data being seized. You might not be able to work out exactly who is responsible right away – and that’s OK – but the important thing for now is to stop the attack from getting any worse. You can investigate in more detail once the situation has been rectified.
Step Three: Notify The Relevant Authorities
Once you’ve got a handle on the situation and you’re beginning to put things right, you need to notify the Information Commissioner’s Office (ICO). Under GDPR guidelines you have 72 hours to report a breach to the correct authorities otherwise you could face a fine, so you need to make sure you’ve got the systems in place to ensure this happens quickly. You’ll need to supply the ICO with as much information as you possibly can, including everything you’ve done up to that point to investigate and stop the breach. I you have appointed a Data Protection Officer (DPO) within your company, you should also provide the ICO with the contact details of your DPO.
Step Four: Determine Whether You Need To Notify Your Customers/Clients
If you’ve caught the breach in time you may not need to notify individuals about their data. However, if the sensitive information of your customers, clients or vendors has been tampered with or accessed, then you will have to let them know. You could send out an email or letter to everyone that’s been effected, just be sure to put some thought into what you write, after all, no one wants to hear that their data was hacked. Be sure to explain what happened as best you can and then the measures you’ve put in place to rectify the situation. Aim to reassure these individuals that their data is now safe, otherwise you risk deletion requests and losing out on customers or clients.
Step Five: Revisit Your Security Systems
Once the dust has settled, you’ve investigated the cybercriminals involved and reported the breach, you and your team need to begin re-evaluating your security systems. Look at how the hackers got into your systems and begin there. You might need to update any older software or invest in some completely new systems to help keep your data safe in the future. While a data breach is hugely inconvenient, now that it’s over you should look at this as an opportunity to boost your security frameworks and avoid anything like this happening again in the future.
You might also wish to update your password process at this stage. Implementing a strong password policy can help to keep your systems safer. Encourage your teams to update their passwords regularly and ensure that these are at least eight characters long, using a mixture of upper-case letters, lower case letters, numbers and symbols.
Step Six: Retrain All Staff On Security Best Practises
Finally, one of the most important aspects of security and remaining GDPR compliant is ensuring that your team are knowledgeable about data protection and security. As previously stated, lots of cyberattacks happen as a result of human error, but the likelihood of this happening can be reduced if you’re offering data protection training to all your staff. No matter what level they’re at and which department they work in, every individual member of staff can do their bit to keep your data safe. So, decide whether you want to run in-house training sessions, enroll employees on an online course or have your teams go to third party providers to get clued up on data protection.