What is a cyber breach and how does my Board need to deal with it?

Cyber breaches can damage business reputation significantly

A cyber breach (or data breach) can be a considerable risk to your business. Sometimes businesses may not be aware that they have had a breach or that it is already impacting their clients.

Learning how to identify, plan for and deal with a cyber attack is important for protecting your business, here we share some top tips to help you manage the process…

What is a data breach?

All data breaches are designed with the same objective; covertly gain access to as much data as possible.

Breaches normally target the personal information of your customers - your business might collect details such as passwords, addresses, bank details and so on to service the customer, it is this that data breaches are trying to get to.

Not all data breaches target customer information, some may be more to do with leaking private information, or copying programming.

Keeping your business safe from cyber breaches means you are protecting the business in the short term from attacks and in the long term by keeping your business sustainable.

How do I identify a data breach?

As a director you are responsible for identifying potential threats, assessing where there might be risk and taking preventative steps, and understanding the potential impact.

This means you must be proactive! Make sure you know your key areas of risk, that they are on the risk register, and that you have a plan for dealing with the event should it happen.

Once you have a thorough understanding of the risks there are a number of things you can do to help in identifying a data breach:

  1. Choose third party providers who have robust security procedures and can evidence compliance. If an organisation has an ISO 27001 certification (international standard for information security) you can be assured they are diligent.
  2.  Train your staff to be aware of the impact of their actions and the risk they expose the company to by not being compliant. Mistakes happen, its why its called human error, but as a company you can still make sure you educate your staff.
  3.  Conduct regular checks. You can set up vulnerability scans - automated programmes which will test your applications and systems with simply logic patterns. If something is not running as it should they will spot it and report to you to action.

What do I do in the event of a breach?

Even with the most robust planning and preparation, breaches can still occur. If you have identified a cyber breach how you deal with it is crucial, and it is essential you act quickly.

Here we set out ten actions to take in the event of a cyber breach

Download Cyber Breach Checklist

1. Identify the type of breach

If you have discovered a cyber attack you must identify if it is a personal breach or not. A personal breach does not mean the attack was aimed at you personally or your business, but means that the breach has compromised personal data.

If a breach is a very low risk it may not be a notifiable event. If you are unsure, you can visit Personal data breaches | ICO.

 

2. Report to the Information Commissioner’s Office

If your attack is a personal data breach, you’ll need to contact the ICO within 72 hours. The only exception to this is if you are confident that the attack does not pose a risk to the individuals concerned.

 

3. Contain the threat

From an IT perspective you will need to contain the threat, and potentially shut down the affected network if necessary to stop the threat being an ongoing issue.



4. Inform individuals involved.

If there is a high risk to individuals’ ‘rights and freedoms’ you must tell them immediately.

 

5. Inform other organisations involved

If you work with third parties or service providers and they may have been affected, you need to notify them immediately so that they can take appropriate action within their business.

 

6. Restore your systems

As a business you are responsible for restoring availability and access to personal data as soon as you can.

Most websites for example can be ‘rolled back’ to an earlier version which is not compromised, if it is safe to do so you should restore business continuity as soon as you can.

 

7. Contact legal services

It is prudent to seek advice from your legal services in case there is some form of liability that may arise as a result of the attack. Your legal provider will be able to advise on what regulations will apply and how to respond.



8. Check Insurance

Check your business’s insurance cover to see if the event should be noted to your insurer; it is important to do this even if you do not need to inform your insurers as your policy may lapse if you have not followed the correct procedures.

 

9. Conduct an investigation

Once you have dealt with the immediate issue of securing the breach, you will want to conduct an investigation into how the breach occurred.

This helps you identify where the attack came from so you can deal with it, and enables you as a business to feed back the conclusions to your records.

 

10. Make a record

Even if your breach was not a notifiable event you should keep a record in the business of the event, your investigation and how you managed it.  This demonstrates as a business you are conducting yourself in a compliant and diligent manner, and helps inform future planning when addressing cyber security.

 


Read our blog ‘What to do when you appoint a new director’

Read our blog ‘5 tips for improving your board of directors’ skills

Check out our ActionPlan Tool; create your own regular Governance process check to record your decision-making more efficiently.