Dealing with the consequences internally is only part of the job after a data security breach. [shutterstock: 352183106, Michael H Jones]
While news of a data security breach – especially one affecting a multinational company or government department – can dominate the news and social conversations for days, the effects of the breach on those whose privacy has been compromised and the organization itself can last for years.
Wise organizations are those who study the patterns of previous data security breaches and take the lessons on board. Arman Sadeghi from All Green Recycling takes us through the most important points.
Awareness of major data security breaches in other organizations should not only extend to the practices and policies that could have mitigated the risk of the breach occurring, but should also include lessons learned from the way in which the organization responded to the breach once it did occur.
Network World referred to data security as a “perpetual battle” which requires “constant incident post-mortems” and in which “neither side gets the upper hand for long.” With that in mind, we present lessons learned from some of the biggest data security breaches of all time, and how organizations of any size can take the lessons on board.
Communication is Key
Once a data breach has occurred, the organization involved has a legal and ethical responsibility to communicate the incident to those people whose privacy has been affected, whether they be customers, clients, employees, or any other group of people.
The 2013 Target data breach provided a harsh lesson as to the effects on a company’s reputation and ultimately their bottom line when adequate communication is not undertaken. The breach was, as Forbes described it, the “nightmare before Christmas” for the retail giant and the 70 million customers whose privacy was breached.
As bad as the data security breach was, Target made it just that little bit worse by failing to effectively communication the incident with those affected. The breach affected customers who shopped between November 27 and December 15, yet Target did not disclose the breach.
On December 18, journalist and security blogger Brian Krebs scooped the news, and Target CEO Gregg Steinhafel issued a statement that same day, but only to say that he was “pleased with Target’s holiday performance.” In other words, there was still no mention of the data breach by Target.
It was only after investigations had been run by both American Express and the Secret Service that Target confirmed the data breach.
But the problems for Target didn’t end there. When they did communicate with their customers, they did so via an email that was suspicious-looking at best.
People are warned time and again to be aware of phishing attempts, especially when hackers attempt to impersonate a trusted brand online. People are warned to hover over links and check the sender’s email address to make sure it is an official one, and to never click on a link in an email that they are at all suspicious about.
Yet when Target emailed its customers, it did so via a dubious-looking and nonsensical “bfi0” Target subdomain, with the emails coming from “[email protected]” In addition, customers who dared open the email were encouraged to click on a link within the email to find out more about the breach.
It’s almost as if Target didn’t want their customers to know that their privacy had been compromised.
Clear and Enforceable Data Security Policies Are Essential
Coca-Cola’s bizarre data security breach in late 2013 – in which 55 laptops were stolen by an employee reportedly in charge of equipment disposal and later recovered under mysterious circumstances – occurred simply because the soft drink giant did not follow its own security policies, according to Tech World.
The stolen laptops included personally identifiable information of over 70,000 people, many of whom were past or present employees, as well as sensitive corporate data.
The information was not encrypted, and somehow the employee was able to steal the computers over a period of several years, completely undetected.
The incident served as a wakeup call to organizations and companies of any size to implement and enforce ironclad data security policies.
Beware of Giving a False Sense of Security
As data breaches become more prevalent, if almost seems the norm for an organization to offer free credit monitoring to individuals affected by data security breaches.
Yet, as IT Business Edge noted, free credit monitoring can give people a false sense of security.
It seems that credit monitoring does not monitor existing credit accounts, so a customer concerned about their credit being affected after a data security breach may feel more secure with free credit monitoring, but would not actually be notified if an existing credit card was used fraudulently.
It is only by monitoring their own credit card statements and recent activity that the customer would know for sure if their credit had been affected. Yet those people who are not aware of this may become complacent under the assumption that the credit monitoring service is all that is needed.
The Biggest Takeaway Of All
The effects of a data breach can be crippling on an organization of any size. Companies take a hit to their reputation and their bottom line at the same time, and the effects can be far-reaching, with reduced consumer confidence and increased insurance premiums just two potential long-term outcomes of a badly managed data breach.
Perhaps the biggest takeaway of all is that any organization can be a target of cybercrime or any type of malicious or inadvertent data security breaches. But just because an organization has been targeted does not mean they must become yet another data breach casualty.
Do you agree? What other takeaways should organizations have learned from the recent large-scale security breaches? Comment below, and please like and share.