What should I do about a data breach? GDPR came into force back in 2018 (on the 25th of May actually!). Data breaches were still ‘a thing’ before that of course, but the GDPR requirements mean that businesses need to do much better at protecting the personal data that they store about people. Of course, data breaches are still going to occur, in both small businesses and huge enterprises. If governments and massive, multi-national conglomerates can’t protect their networks 100% of the time, then of course small businesses in Sheffield and around the whole UK have a difficult job!
If you do suffer a breach of any kind, it can be a very stressful time, with a great many things to consider.
You will need to ensure that you adhere to all your legal obligations arising from the breach and investigating what data has been compromised, whilst simultaneously trying to rebuild your IT functionality, reinforce your protection and whilst attempting to prevent any follow up attacks and find any other infections all whilst trying to keep your organisation afloat
We’ve tried to address as many of these key things as possible below. by no means is this an exhaustive list, but it gives you a starting point so that it doesn’t feel quite so daunting! At the bottom of the page is a link to a more well-rounded document that will help you to track your progress with recovering from a data breach from a technical perspective.
What should I do about a data breach, Where do I start?
Where you start depends on how you came to realise that a breach had occurred. In this example, we are going to assume that you have received some sort of notification that someone has hold of your data and is possibly encrypting the data.
If the above is true, the first thing you can do is remove control from the people that are breaching your network (sometimes referred to as the “bad actors” depending on how they have gained access) and slow down anything that is propagating on your computer systems. The simplest way that you can do this is to disconnect or turn off your internet connection and shutdown your PCs, Laptops and Servers. Once this step is done, it’s time to take a breath – the situation can’t get worse at this stage, until at minimum you turn things back on!
Does my business have a Business Continuity Plan in place? (Sometimes referred to as a Disaster Recovery Plan)
If it does, you should definitely consult this as it will help you to understand who needs to be contacted, and in what order. It will also help you to decipher who is responsible for what in the situation. This article presumes there is no Plan in place. Even if you have a plan in place, feel free to read the rest of this article and compare it to your current plans – are all points included below included in your plan?
What should I do about a data breach? Assess the situation
To cover some of these points you will have to communicate with your internal IT staff or Service Provider. Their natural reaction will be to be head down concentrating on resolving the issue, so communications may not be free flowing – ask for a dedicated point of contact for regular updates and efficient transfer of information in both directions during this time. It is best to perform this assessment as quickly as possible as there will be stakeholders to inform. It’s especially important that you are clear with your communication with everyone, and to do that, you will need to understand the following.
Which systems are currently down or inaccessible?
What does that mean for the business?
You can’t communicate with customers?
You can’t communicate with suppliers?
You can’t trade?
What communication have you received so far from the bad actors? If any?
Something via email?
Who is involved so far?
The IT Department / Team / External Partner?
Can you offer any peace of mind to calm the situation?
There are backups in place, and you’ve spoken to the provider to confirm they are OK (i.e. not affected)
Spare equipment that hasn’t been turned on?
A Cyber Insurance Policy is in place?
There is very little personal data that the bad actor could have accessed?
Once you have a clearer picture it is time to move on the next stage!
What’s next? Communicating Internally
The next thing you can do is to gather your thoughts and think about communicating with key INTERNAL stakeholders in your business. In particular, the owners, directors and staff. Often times in these situations, people remember to report UP to directors and owners – but neglect to report to staff – This can be a mistake as your staff are the most common touchpoint for some of your most important stakeholders – your clients and Suppliers.
When communicating with your internal people, you need to try to be calm, clear and factual. What do you KNOW has happened so far, don’t make any guesses, they won’t help with the conversation, or the actions that need to take place moving forwards. Try to include in your communication any pertinent information gleaned from your investigation. Staff will be looking for reassurance as well as guidance on next steps for themselves.
Include what you expect staff to say to any external parties if asked. At this point it is likely to be a simple “we are having issues with our systems, but we are working on it” but the message out will change during the recovery process and based on any further discoveries and actions – remember to keep your staff and their message updated!
It can be greatly beneficial to arrange what a central-point of update to staff will be so everyone can be on the same page, choice of this may be impacted by what systems are currently online, but common choices are alerts on intranet sites and Teams announcements.
Contacting external parties
Now that the key people internally are aware of the situation, it’s time to start communicating with your external parties, but this needs to be handled more carefully as your reputation could be damaged if you don’t communicate effectively.
Provided that your IT Team are already aware, the first party you need to discuss the situation with is your Business Insurance company. You may not have Cyber Insurance in place, but that doesn’t mean they shouldn’t be made aware. Most business insurance packages will contain some form of Business Continuity insurance. It may be possible for this policy to be used against some or all of the costs associated with your recovery, so you need to hold this discussion at a very early stage. If you do have either a Cyber Insurance Policy OR Business Continuity Insurance that is relevant, your insurer will guide you through a lot of the process that’s needed to get the business back up and running, but they will need you to communicate efficiently with them and they will definitely need your IT Team involved.
The insurer will also help to guide you with further communication with your customers and other stakeholders. They will also help you to decide whether you need to report the breach to the ICO (Information Commissioner’s Office who are the regulated body for the UK when it comes to GDPR and Data Breaches) which is a massively important decision for the future of your business. If your insurance provider isn’t able to help with reporting to the ICO, a good place to start investigating whether you need to do so, is here ICO and there is a specific self-assessment tool which helps you to identify whether they need to be made aware.
If the insurer isn’t able to help with your customer communications either, you should start to think about what you might say. By this point, it’s highly likely that some customers are already calling your business – what are you expecting staff to say to them? Has the message changed from your initial triage?
Your communication to customers needs to consider the following;
At this stage, do we even want to reveal that we have had a Cyber Attack / Data breach / Issue? Or would it be wiser to continue to tell them that you have an IT outage which is delaying / stopping you from providing a service at the moment? Either way, you need to make sure that ALL of your staff are aware of the company line. This is where the agreed method of central update can become very useful
If you are going to reveal there has been a data breach, again, you need to make sure that you stick to the facts;
Which of your systems are affected (only say the ones that are definitely affected)?
Do these systems store any personal data about your customers?
If so, what might that data be?
Have you reported the incident to the ICO?
Are there any timescales for returning either all of your services or some of them?
As you can tell from the information above, communication is the most valuable and important thing to consider when you have been hit with a Data Breach or Cyber Security Incident.
How you communicate will definitely affect whether your business is able to recover from the incident and continue to trade (many businesses don’t survive beyond 6-months after a major incident).
The other crucial factor is to include your partners in your thought process, to make sure you are getting the right help, at the right times.
Of course, there are tons of technical steps that need to be taken in order to recover your systems, we’ll cover some of those in future blogposts. For that reason, we’ve put together a template document which helps you with the technical recovery steps.
How can ESP help me with a Cyber Incident?
If you are an existing customer of ESP and have an IT Support agreement with us, presuming you’ve already reported the issue to our helpdesk, you should pick up the phone to your Strategic Account Manager to discuss how we might further help you to recover the situation, both from an IT and from a business perspective. We’ve been there and worked through it all before and are well-placed to give you the right advice, at the right time. If you are not a customer of ESP, but need help with your Cyber Incident, or indeed planning to avoid Cyber Incidents, do pick up the phone and we’ll happily plan a meeting to discuss it with you.
Now you have your form from the link above – its time to complete it.