Whether you are a large multinational company (such as Three Mobile and Tesco Bank who were victims in 2016) or a South West SME, cyber security breaches are a risk for all companies. Cyber-security breaches can lead to reputational damage, and for many companies, a robust cyber-security policy and record is a pre-requisite to securing important customer contracts.
Of course, putting policies and processes in place to minimise the risk of cyber-security breaches is critical. But even the most robustly protected organisations can fall victim to breach, and in those cases the early stages of dealing with security breaches can be key in minimising the impact.
We set out below some top tips to consider, if you are faced with the reality of a breach of cyber-security:
Usually the first thing to do is to stop the situation getting any worse. Typically this will involve liaising with your IT team or external IT consultants on ways to stem the problem. Do not be pressured into making a statement on the spot or feeling the need to give a detailed response to initial external enquiries. A reassuring holding statement will generally be fine. Further details about the incident are likely to be obtained over a period of time. The key is not to do anything that you will later regret.
Make sure that enquiries are directed to the relevant individual in your organisation. Regulators will look to see that you have appropriate policies in place and that they have been followed. Sanctions are likely to follow if not. You should also ensure that your response is notified to your insurers at an early stage, and that your response is coordinated with your insurers - it is important to ensure that you don't do anything in your initial reaction which could prejudice your insurance coverage.
When you become aware of a potential issue, and if it has potential to attract the attention of the press, consider putting together a draft response/press statement. If the incident attracts wider attention, you will not be given much time to consider your response. The statements you see are bland and short for good reason. It’s a rare occasion when a very detailed response would be the best option, as that will make any press coverage longer. PR consultants can be engaged to assist if a wider spread positive message needs to be given. It may also be helpful to set a social media and internet monitoring service.
It is likely that your understanding of the position will change regularly and there will be various competing interests and obligations to consider. For instance, whether the situation requires police intervention or a court injunction should be considered at various stages. Either of which may be needed urgently to achieve the best result, or may have wider consequences.
Be aware of any obligation to report incidents (and the timing of such reports) to regulatory bodies such as the Information Commissioners Office, the data subjects or your insurers. You should also check if you have cover for reputation damage and any associated PR and/or legal costs.
Incidents of data breach often relate to information revealed on or communicated via social media. When liaising with a third party host of online content, speak their language and point out breaches of their own terms. This may particularly have more sway for hosts outside of the UK.
Think very carefully before engaging with hackers and/or trolls: they are usually attention seeking and it may not be wise to engage.