How organizations should handle data breaches

How an organization handles a breach can be just as critical as protecting against one, according to Security.org.

Hackers and cybercriminals rely on the failure of consumers and companies alike to properly protect themselves. Weak passwords, vulnerabilities in software and systems, exposed sensitive information. All of these can lead a hacker to compromise your accounts and data. Survey results from security advice site Security.org reveal how consumers put themselves at risk, while advice from CMO Ryan McGonagill explains what companies can do in the event of a breach.

SEE: You've been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic) 

To look specifically at how people access their money online, Security.org surveyed more than 1,000 people who use financial services on the internet. Among the respondents, 46% said they use the same passwords for some or all of their online accounts (including banking and social media). Further, 25% admitted that they never change their online banking passwords.

Conducting financial transactions over a public Wi-Fi hotspot is a bad idea as they're usually less secure than private, password-protected networks. Yet, some 25% of those polled said they've accessed their bank accounts on a public Wi-Fi network. Another 28% said they use their credit or debit cards on public Wi-Fi. Among those respondents who access private information on public networks, 38% said they didn't use antivirus software, while 71% said they didn't use a VPN.

A failure to use proper security or proper judgement can expose consumers to a data breach. Around 25% of the people who said they'd been exposed to a breach admitted to saving credit card information on their personal devices. Further, 29% said they've accessed their bank accounts from a device that wasn't their own.

"As a consumer, it can be hard to avoid massive data breaches and hacking attempts against corporations holding your personal information," Security.org said in its survey report. "2018 was the second-most active year for data breaches globally, yet many Americans could be making it worse by not properly protecting their bank account information. As we found, many people didn't change their passwords regularly, and many reused the same passwords for a variety of accounts. Even among people who had been exposed to data breaches, many exhibited risky behavior regarding public Wi-Fi networks and storing their credit card information on their devices."

SEE: Security Response Policy  (TechRepublic Premium)

Consumers can better protect themselves by using secure and different passwords, possibly with help from a password manager. They can avoid conducting financial business on public Wi-Fi networks. And they can use the right security software and VPNs to better protect themselves.

But organizations that fail to adequately protect themselves also are vulnerable to data breaches. In such cases, it's not necessarily if but when a breach might occur. And how an organization handles a breach can be just as critical as protecting against one. To help organizations better respond to data breaches, Ryan McGonagill, CMO for Security.org, offers the following advice:

"In the event of a data breach, it's important not to panic, to assemble a team, and to formulate a calculated approach," McGonagill said. "Depending on the size of the company and nature of the data breach, this may require involving a data forensics team, legal counsel, HR, communications, investor and public relations, and so on."

Prevention tips

  • Take a three-pronged approach. The FTC advises businesses to take a three-pronged approach in responding to data breaches. The objectives are to: 1) secure the company's systems, 2) fix the vulnerabilities that may have caused the breach in order to prevent further attacks, and 3) notify the appropriate parties.
  • Secure physical areas. Once a forensic team has been assembled, companies ought to secure the physical areas that may be related to the breach and change access codes, followed by removing any potentially affected equipment.
  • Review your website. If the data breach involves improperly published personal information, companies will need to review their own website and other websites for any compromising data and have it removed immediately.
  • Interview the right people. In conducting an internal investigation, companies need to take care to interview the people who discovered the breach and make sure staff know where they can provide information that may aid the investigation.
  • Work with forensic experts. To fix the company's vulnerabilities, it's crucial to work with forensic experts to ensure proper network segmentation, learn the scope of whom is impacted, and follow their recommendations for addressing vulnerabilities.
  • Create the right plan. Finally, companies need to formulate a comprehensive and responsible communications plan for all affected parties, including law enforcement, other affected businesses, and individuals - such as the company's employees, investors, partners, etc.

"Once a data breach has occurred, the best course of action is clearly addressing how it happened, how it's being remedied, and what those affected can do to protect themselves from potential damages," McGonagill said.

Also see

Padlock to represent computer security breach

Image: Getty Images/iStockphoto