Are You Ready for Your Data Breach?
Chances are you didn’t get into the commerce game so you could fight fraud or spend wakeful nights worrying about how to defend your business from data breaches, which are beginning to feel inevitable.
But here you are.
Fraud, and the practice of declining orders for fear of fraud, are respectively a major cost and lost opportunity for e-commerce businesses.
And data breaches? You can barely stop shaking your head over the tremendous size of one breach before another eclipses it. ThreatMetrix recently published a report that said that the number of cyber attacks the company identified and stopped in the third quarter of 2017 was double the number it stopped in the third quarter of 2015.
And just last month, experts from credit reporting agency Experian and risk monitoring and managing company Digital Shadows got together for a webinar to provide some pointers regarding data breaches. The webinar opened with the fun fact that Digital Shadows had seen a double digit increase in breaches from the end of 2016 to the beginning of 2017 and a 150 percent increase in the number of stolen, lost or compromised records.
Data breaches are a fraudster’s friend
The trends are doubly disturbing for those worried about e-commerce fraud. Data breaches yield a huge bounty of personally identifiable information for fraudsters who use the stolen information to charge products in others’ names or to create their own fraudulent accounts.
But the most telling thing about the webinar? It wasn’t about how to prevent a data breach. It was about how to respond to a breach once it happens.
Obviously, that’s not to say there aren’t many important steps to take to minimize the possibility of a breach. But what it does imply is that there is only so much you can do, so you better be ready.
The discussion, which I’ll get to in a minute, had me thinking. Obviously, it had me thinking about how important it is to have your business ready for a breach, particularly if your a merchant that keeps credit card information or other personally identifiable information. But it also had me thinking about all the partners and vendors that also have access to the data that merchants hold.
If you’re a merchant who handles credit card transactions (in other words if you’re a merchant), you’re no doubt PCI compliant, meaning you follow the strict safeguards required by the credit card industry in the form of the PCI Security Standards Council.
Are your vendors as careful with your data as you are?
You most likely conduct employee training, regularly review your procedures and contingencies. But what about the partners and vendors you work with who have access to the data that you’re responsible for?
“I advise clients to set the same cyber security expectations for their partners as for their own company,” Michael Bruemmer, who represented Experian in the webinar, told me by e-mail after the event. “For example, if you are PCI compliant, so should be all members of your supply chain.”
Bruemmer, vice president of consumer protection for Experian Consumer Services, had just delivered a primer on what companies should do if they are victims of a data breach. He broke things down into five mistakes organizations make after a breach.
“Unfortunately these aren’t new,” he said, explaining that Experian had spotted them in the thousands of breaches they’ve been called in to help with over the years.
To paraphrase and summarize Bruemmer’s five mistakes:
1. Assembling the wrong team and or providing inadequate commitment to the problem: You need to have people with the knowledge and the authority to make decisions in the midst of a crisis. The work can’t be something that’s handled when time permits. Everyone, including bosses, must understand that managing the aftermath of a data breach is a full-time job. In fact, it can be all-consuming, particularly in the early going.
The need for response is also likely to last a lot longer than some might think. Data breach problems don’t go away quickly or easily.
2. Neglecting to have a solid governance model: The governance model must be explicit and understood and blessed by top executives. If those on the response team don’t have the resources and the authority to make big decisions, deadlines will be missed, momentum will be lost and bigger problems will arise.
3. Shoddy forensics: The forensic team handling the breach must have the skills to determine and explain how the breach happened, why it happened and who is affected. Missing on the forensics can make bad matters worse. Consider a case where the team incorrectly determines a reportable breach has occurred and prompts the sending of letters to supposedly affected consumers. The later discovery of the misdiagnosis is too late to save the company’s reputation.
4. Hiring an inexperienced breach coach: OK, by breach coach Bruemmer mostly means lawyer. He recommends that companies have legal counsel specializing in data breaches lined up well before an actual breach happens. Make sure you’re satisfied with the lawyer’s level of expertise. The same could be said for lining up a public relations crisis team. Things move very fast once a breach has occurred and is disclosed.
5. Underestimating the scope of the problem and interest in the problem: More and more companies, Bruemmer says, are realizing that they need to be ready with a global response to data breaches. If you’re a merchant, depending on the countries into which you sell, you might be legally required to make certain disclosures and take certain steps in those countries. Beyond that, breaches are not limited by geography. Do you need multilingual call centers? Do you need to arrange customer support hours in different time zones?
How to prepare for a data breach
Besides avoiding the five mistakes, Bruemmer said there are number of positive steps companies can take to be prepared to respond to a data breach. First, he recommends having a written response plan that is updated at least every six months. He cited Experian’s guide as a resource.
He suggests keeping a consistent data breach response team. No doubt members will come and go, but make sure you always have a core of veterans.
And Bruemmer says companies should run drills twice a year that simulate a full-on response to a data breach. Take the exercise seriously.
With any luck, the simulations are the closest you’ll ever get to responding to a data breach. But given the statistics and recent trends, it seems much more likely you’ll be relying on those dress rehearsals to ensure that you crush it when bad things do happen.
Photo by iStock
Contact Mike Cassidy at firstname.lastname@example.org; follow him on Twitter at @mikecassidy.