An IT security breach is something no business owner wants to happen. However, with the growing number of cases of cybercrime, and the increasingly sophisticated methods being used by cyber criminals, it is unfortunately a risk for many. So, if you find your IT security has been breached, what should you do?
What is a data breach?
An IT security breach usually leads to accidental or unlawful damage, loss or unauthorised access to data. This affects confidentiality, veracity and the accessibility for your business. An IT security breach can be extremely damaging, and even fatal.
In May 2018, GDPR (General Data Protection Regulation) came into place, mandating that all businesses must legally report certain types of personal data breach to the ICO (Information Commissioner’s Office) within 72 hours of discovering the breach. Below, we will explore what you should do next, and more importantly who to tell if your IT security has been compromised.
What type of IT security breach has occurred?
Firstly, before panic hits, it’s important to find out what the scale and extent of the breach is. What data records have been involved? Have email addresses, names or financial records been compromised? How many have been accessed and for how long?
Using an Information Asset Register would be particularly useful at this stage. An asset register should track all categories of information and provide an owner for each one. It is a vital risk assessment tool for identifying which information assets should be protected. This is also a requirement for the IASME Governance Standard.
You may have been notified that your customer’s information has been accessed via a 3rd party database on another website or been victim of phishing emails sent to your team. If this is the case, you must arrange a meeting as soon as possible to find out which members of staff opened the email, and what information was retrieved this way.
What is your next response?
Next, find out where the breach happened, how, and then isolate the areas affected as soon as you can. Have you got a data breach or security breach plan? This is something you can develop with support from your IT service partner. This ensures your business can continue to operate whilst you deal with the breach.
Who should you contact if you experience an IT security breach?
Firstly, notify your IT department or outsourced IT security partner. They can then begin the recovery work and ensure the rest of the system is sufficiently protected.
Once you have assessed the damage, you need to consider notifying ICO (Information Commissioner’s Office) and the individuals affected. If you are unsure as to whether or not your need to report it, the ICO offer a self-assessment.
If the breaches pose a risk to the rights and freedoms of people, or if it is high risk and can affect reputations, finances or is discriminatory, then it is essential and lawful to report to the ICO. You must contact the ICO and explain the situation within 72 hours of when you first become aware. Even if you haven’t got all of the details yet, you must supply them with your response so far.
If you do not need to report to the ICO, you still need to keep a record to comply with GDPR.
What do you need to supply the ICO with?
The ICO will need a situational analysis. This covers what damage occurred, how it has affected your business and the cause of the breach. They will also want to know the quantity and type of data exposed, and the consequences for those affected. If the IT security breach was due to human error, you will also need to let the ICO know what IT training and awareness is in place at your business.
The ICO will also need to know what measures you had in place to help protect your IT security before the breach, and what you have done since to limit damage. Your data protection officer, or person responsible will need to supply their details too for future correspondence.
What about informing those affected by the breach?
It may not be necessary to notify those affected; however, you may wish to. You could issue a statement to those affected to inform of the breach.
If a breach has occurred, you could set up a webpage or helpline to help those affected contact your business. You can also put other processes in place, such as offering subscriptions to credit monitoring services. Let those affected also know what measures you are putting in place to stop a breach from happening again. Implementing the IASME Governance Standard, which also includes Cyber Essentials, is a great place to start in protecting your data and systems.
If you would like more help and advice on IT security breaches, get in contact with SupPortal UK today.