Insight: 72 hours to face up to a data breach

Rich Turner
- Leadership - Jun 01, 2018

By Rich Turner, VP EMEA at CyberArk

Now the GDPR has come into force, organisations are required to stand up and reveal details of a data breach within just 72 hours.

Similar legislation that passed into law in Australia in February 2018 suggests we can now expect a deluge of notifications; the Office of the Australian Information Commissioner received 31 notifications in the first three weeks.

Those at the helm of the business will be directly responsible for handling the communications around the breach in this short time frame, and they must be able to quickly offer their customers some fundamental reassurances – even if the full nature of the attack is unknown.

See also:

However, in recent months we’ve seen that facing up to intense questioning from the media and customers is a challenge for even the most accomplished CEOs, and the way they handle crises has a direct impact not just on the business but on their personal reputation. Whether they like it or not, CEOs will be the face of a data breach, and these three short days will be a career-defining moment. 

So how can business leaders stay in control when the 72-hour clock starts ticking? And how can they put themselves in the best position to assure customers they did everything in their power to protect critical data? 

1 - Be confident your company has got the basics right

To face up to intense questioning, CEOs need to know the answers to some fundamental questions. Do you have a full view of the customer data your company holds? And can you assure customers that all steps were taken to minimise the damage once an attacker made their way into the network? 

Within any organisation, having a security layer in place to protect the privileged accounts that attackers seek to compromise - in order to reach the most sensitive and critical data - will allow CEOs to immediately report they had advanced controls in place. This will keep the heart of the enterprise secure. Being able to say that hackers breached company systems but did not access critical data is a powerful message. And knowing that you have taken all measures to protect customer’s data will make it easier to have a transparent conversation about the breach that has occurred.  

2 - Battle-test your readiness

In a constantly changing threat landscape, ensuring your crisis plan is regularly reviewed and updated is critical to preventing data breaches from occurring in the first place. Live drills are a good place to start, as they allow you to periodically battle-test your readiness. Ethical hackers in the shape of Red Team exercises can also be a great way to spot inconsistencies in your security strategy before attackers get a handle on them. 

Having a documented and evaluated incident response plan demonstrates to customers and regulators that your organisation is taking responsible steps to anticipate and mitigate the risk of threats. This will be an important message to communicate in the wake of a data breach. 

3 - Have a clear response process in place

When a breach does occur CEOs will need to act fast, which means having a clear plan of action – one that should already be in place. For example, they will need to first cancel all existing meetings and set up a briefing with the CIO / CISO to understand the full extent of the attack. They will also need to schedule time with the communications team to prepare internal and external communications, as well as managing the formal process of notifying customers and the authorities. Everyone must be clear on their roles and responsibilities to avoid delay when the clock starts ticking. 

4 - Establish a direct communication route with your CISOs 

CEOs are not cyber security experts, but as the head of the company they will need to take on the role of cyber security spokesperson when a data breach does occur. This role cannot be improvised, and business leaders need to stay close to their security team to make sure they are up to date with the company’s security practices at all times. Recent breaches should already have boosted the profile and importance of the CISO to the wider business, but for organisations that haven’t got security on the boardroom agenda quite yet, GDPR and its potentially punitive financial penalties may be the tipping point.

For CEOs who will become the face of a data breach, GDPR is about more than avoiding fines. The 72 hours to report is hugely personal. By making sure they can confidently say their organisation has done everything it can to lock down sensitive customer information, and by having a clear process to follow if a breach does occur, they will not only be able to responsibly inform customers in a timely manner, but also build trust that they are trusted custodians of their data. Not knowing substantially more than is reported in the media and on social channels – and being able to lay out what happens next - will not be an option.

Like what you see! Signup for our weekly newsletter