DEATH AND TAXES are no longer the only certainty in life – there are also data breaches.
That’s according to Swiped author and CyberScout founder Adam Levin, and looking back at 2018 alone, he might just have a point.
Indeed, last year gave us data breaches at the likes of British Airways, Marriott, Quora and Ticketmaster.
And while lessons have been learned, security experts predict that this year, cyber criminals will become even more sophisticated in their work, targeting more than just payment data, but going after the likes of login credentials and other sensitive information.
We’ll also see critical infrastructure and governments being targeted more frequently,something witnessed in Germany last month.
For Levin, companies should follow the ‘three Ms’ approach when it comes to data security: minimise risk, monitor and manage the damage.
For the purpose of this column, let’s look at the third M – responding to a security breach and rebuilding trust with your customers:
1. Have a plan
First and foremost, any company or organisation that handles data should have a data breach response plan in place.
Levin advised that such a plan shouldn’t be drafted after an event.
“This is a plan that should be formulated in anticipation of an event. Not that a company should be fatalistic but it should be realistic,” he said in an interview with Voxpro.
Levin noted it’s better to assume that “even if you get everything right as an organisation, there is always the possibility that someone somewhere is going to make a mistake”.
Many multinationals are guilty of “throwing a fortune” at technology and assuming they have all bases covered from a security point of view.
However, as he noted, “You can’t do a victory lap when it comes to cybersecurity because you could be secured at 9am and at 9.01am somebody could click on the wrong link and suddenly you are off to the races.”
2. Consider your initial response
The first part of maintaining or regaining the trust of your customers following a data breach starts with your initial response, which can be broken down into three stages: the organisation must respond urgently, transparently and empathetically.
First of all, urgent actions require a company to call in its breach response team that will attempt to understand the scale and nature of the breach and assess how best to respond.
This should be a team of people that includes members of the IT department, the information security department, legal and human resources.
It’s recommended that companies consider having a relationship with an outside vendor that understands the laws, not only in one jurisdiction, but in several regions across the globe where customers might be impacted.
“Instead of trying to reinvent the wheel, it’s good to already have the car. And the car is a third-party expert who can get you through this,” Levin said.
3. Set the narrative
One of the major failures of companies at the centre of a data breach in the past has been their attempt to cover it up. Levin provided Voxpro with some case studies.
For example, one company decided to only notify victims and decided not to relay the data breach in the media. But one of its affected customers turned out to be a reporter for a major newspaper, which meant the story took much longer to go away than if the company had been more transparent.
Another company was more upfront about its security problem which meant it had more control over the narrative and the story went away in less than a week.
That said, it’s important to remember that you shouldn’t make public announcements until you understand what went wrong and have a good idea of how many people may have been affected.
Companies that make this error are generally the ones that fail to understand how much data they possess at any given time and where that data resides. Hence, the importance of data mapping.
4. Regain trust
Levin says the key to regaining the trust of your customers is to make them aware that you are in control of the situation, to be transparent and to let them know that you are there to support them.
As well as putting extra protections in place, he suggests that companies make products and services available to customers to help them get through the security breach.
“It’s not just a case of us giving you a list (of how your data has been compromised) and saying, ‘Goodnight and good luck.’ It’s letting them know that we have trained professionals who are standing by and if you have any issue you can call them with a question, you can indicate an issue you had and they will help you get through it.”
Voxpro found itself on the frontline of one such battle last year when it helped a partner company regain the trust of its customers following a data breach involving the leaked information of millions of people worldwide.
To provide enough customer and tech support, Voxpro developed a special one-day training programme for new agents that was designed to deal specifically with the data breach.
During the first week, the team handled 12,000 cases, for the second week 13,500 and the third week 11,500 before gradually returning to normal levels of around 8,000 per week.
Joseph O’Connor is content editor at Voxpro, which is part of TELUS International.