Cybercrime has increased 600% since the start of the COVID-19 pandemic. But believe it or not, the number of data breaches has actually decreased over the same time period.
Strange, right? Not really, because a data breach is only considered a data breach when it’s noticed by the victim. This means that while the number of reported breaches may have decreased, cybercriminals could still be — and most likely are — lurking in your network and gaining unauthorized access to your company’s data.
On average, attackers have access to data for 279 days before being identified. We could see a significant uptick in data breaches in H2 2021 as businesses catch on to the attackers that have been lurking in their systems.
Here’s the bottom line: The risk of a data breach is higher than ever. So, what do you do if you discover your company has been hacked?
The Cybercrime Pandemic
The global transition to remote work and the increased use of cloud-based storage has presented cybercriminals with plenty of opportunities to gain unauthorized access to data. Improperly secured data and the use of personal devices has also made it easier for attackers to deceive companies with tactics like ransomware and phishing.
Not only do these attacks put your company and customers’ data at risk, but data breaches are costly events. The average data breach costs $3.92 million — around $150 per record loss. Additionally, data breaches cause reputational damage that drives customers away. One study revealed that more than two-thirds of consumers lost trust in a company after a data breach.
Cybercriminals' tactics are evolving, and these attacks are essentially inevitable, making it more crucial than ever to learn and understand the steps you need to take if your business experiences a data breach. Handling an attack with precision and care can help keep your business on its feet.
How to Respond to a Data Breach
Data breaches often lead to reputational damage, financial loss and legal consequences, but it’s possible to mitigate some of the consequences and limit the damage to your business. Additionally, the more adept your response, the faster you can restore the trust with affected customers.
The Federal Trade Commission provides regulatory guidelines outlining the steps businesses need to take in the event of a breach, and all 50 states have enacted regulations relating to breach responses. While the steps you take may vary depending on the severity of the data breach and other factors, you will also need to comply with state and federal laws when faced with a data breach. With that in mind, let’s take a closer look at the steps you should take when faced with a data breach.
- Don’t deny or turn devices off. Before we dive into what to do, let’s start with what not to do after discovering a breach: Don’t deny the breach occurred. Instead, you need to acknowledge what happened and take affected devices offline right away — but don’t turn off any devices completely until a forensic expert arrives to help. Devices carry logs that are critical for forensic experts to review and could be lost if systems are turned off.
- Report the incident. State and federal legislation requires you to notify law enforcement of data breaches, so after taking your devices offline you need to report the incident. Your mandated response may vary based on your location and the type of data that has been compromised, but you will probably first notify local law enforcement. If the breach is complex or significant, you may be redirected to the local FBI or U.S. Secret Service.
- Engage outside experts. In the event of a data breach, you should consider hiring a third-party forensics expert or team, ideally, one certified by the PCI Security Standards Council. PCI Forensic Investigators (PFI) can help identify the scope of the breach, including how many individuals were affected and the type of data that was compromised. Forensics experts will help you gather and analyze evidence, determine the steps you should take next, and prevent the loss of additional data. You can also consult with forensics experts to determine when it is safe to resume business. Additionally, you’ll likely want to consult with legal advisors to help navigate state and federal regulations around data breaches. While seeking third-party assistance may seem like an added cost, outside assistance can help you avoid legal consequences and mitigate future risks, saving you money in the long run.
- Prevent further data loss. Once you convene with your team of experts, work together to secure your networks and devices to prevent further data loss. When forensic experts arrive, any affected devices should be turned on — but offline — so they can help you secure the operation. At this point, you should change access codes on devices, monitor entry points, and update credentials and passwords in your network. Additionally, you should determine whether any sensitive company information was illicitly posted online by the attackers and if so, ensure that information gets removed. Most importantly, do not destroy any evidence.
- Address vulnerabilities in your system. One of the most crucial steps in recovery is to identify vulnerable points in your system so you can avoid future breaches. First, consider your service providers: What personal information do they have access to? Do you still want them to have access to that information? What are they doing to ensure another breach won’t happen? If your provider says they have fixed any vulnerabilities in your system, you need to verify their claims. Lastly, consider who had access to your systems at the time of the breach and if those individuals still have access.
- Nail down a communications plan. Last but not least, you need to notify all parties affected by the breach, including customers, investors, employees, and other stakeholders. In addition to following state and federal regulations as well as card brand rules, be transparent so individuals can take the necessary steps to protect themselves. In your communications, disclose how the breach occurred, what data was stolen or exposed, how you’re mitigating the incident, how you’ll protect and support affected parties, and how to contact support resources in your organization. You can also offer services like free credit monitoring, card reissuing and credit repair to affected parties. Again, while it may seem costly upfront, offering these services can help you win back customers’ trust and salvage your reputation.
Learn From Mistakes
I’ve seen many major companies experience public card data breaches — only to repeat the entire nightmare several years later. This is often because companies don’t learn the right lesson from the breach experience. Here’s what I mean: After a breach, it’s easy for organizations to adopt a passive stance and simply respond to the instructions of lawyers, investigators, banks and regulators. While these are necessary aspects of the post-breach recovery process, companies can easily neglect the question of whether the card data is needed on-premise in the first place.
A breach doesn’t necessarily result in compromised data. If card data is devalued with encryption and tokenization, making it indecipherable to attackers, then a breach can’t result in a compromise. So, is the point of security to protect the systems or to protect the data in the systems? Of course, the answer is both. However, I think we should keep data security as the focus and devalue card data at acceptance and during transmission with point-to-point encryption (P2PE) and tokenization while stored in databases.
There have been no reported compromises of card data from merchants using PCI-validated P2PE and tokenization — a strong indicator that data devaluation should be a primary security strategy for any business that accepts payment cards.
Data Breaches are Here to Stay
Data breaches aren’t a new phenomenon, and they aren’t going away anytime soon. If anything, cybercriminals are becoming more sophisticated, making it even more important to understand data devaluation methods and the steps to take in the event of a breach. Remember: In the aftermath of a data breach, stay calm, report the incident, get help and be transparent — and if you haven’t already, consider devaluing your data.
About the Author:
Ruston Miles founded Bluefin and also serves as the company’s chief cybersecurity advisor. Ruston brings over 20 years of payment and security experience, having architected Bluefin’s payment gateway and PCI-validated point-to-point encryption (P2PE) solutions, as well as contributing to the innovation of the company’s tokenization solutions. Ruston is a national speaker on cyber and payment security topics and was featured in more than 12 publications in 2020, including Forbes, TechCrunch, ZDNet, PaymentsSource and Yahoo! Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council (SSC).
