In Ireland, despite widespread visibility of data breaches and security threats, strong data protection is often treated as an afterthought within many organizations. Recent studies have shown that more than half of Irish organizations anticipate a rise in breaches this year, but less than 40% claim a comprehensive understanding of their third-party risks. Meanwhile, businesses continue to create, share, store, use and manage an ever-increasing volume of sensitive digital information, raising the stakes and the surface of potential vulnerabilities.
The risks have also been exacerbated by the rapid introduction of new tools and systems to enable and support the transition to remote and hybrid working. However, these new elements were not always vetted thoroughly, ultimately making it easier for threat actors to successfully penetrate systems and exploit sensitive information. Since the beginning of 2020, there have been several high-profile data breaches in Ireland. For example, Ireland’s Health Service Executive suffered a widespread, severe data breach midway through 2021, the effects of which are still being felt on numerous fronts. An Irish technology company suffered a $50m ransomware attack last year and the number of GDPR-related complaints filed with authorities in Ireland has risen steadily over the past two years.
Moreover, the Irish Computer Society’s recent National Data Protection Survey found that more than half of Irish companies suffered a data breach in the preceding 12 months prior to their analysis. These and other examples underscore the fact that data protection concerns are not a distant threat. They’re of significance right here, right now, and proactively addressing and mitigating them is a business imperative.
The following tips address key phases of cybersecurity and data privacy resilience.
Preventing an Incident
Tip #1. Enlist experienced cybersecurity and data privacy professionals to conduct a comprehensive assessment
A report from FTI Consulting and the Harvard Business Review found that more than 40% of businesses admit their organization “has a false sense of security about third-party risk just because they meet basic compliance requirements.” Thus, enlisting experienced cybersecurity and data privacy experts to assess the resiliency and effectiveness of the organization’s digital infrastructure is critical. Experts should have proven domain expertise, deep technical proficiency and experience addressing similar issues across relevant regulations and the organization’s industry.
Tip #2. Designate an internal owner and stakeholder to oversee ongoing security management
Security and privacy assessments will result in a list of improvements that need to be made. Unfortunately, organizations often stall after the assessment phase, which is why it’s essential to establish an internal owner who will be accountable for implementing changes, liaising with outside advisors and managing the new program. In addition to appointing a program owner, organizations should also assemble a robust incident response team comprised of internal and external experts who can quickly respond if a breach or cyber attack occurs.
When an Incident Occurs
Tip #3: Act quickly to lock down affected systems and activate the incident response plan
During a cyber-attack, incident response teams must respond as swiftly as possible to prevent the spread of contamination, exposure and disruption. Affected networks should be shut down as tightly as possible and systems known to be impacted should be isolated from the organization’s environment.
Key stakeholders must also consult with the leadership team and outside experts to respond appropriately to the situation at hand, across security response, investigation, communications and regulatory notification.
After an Incident Occurs
Tip #4: Conduct a full situation examination
Once the dust has settled after an incident, organizations have an obligation to investigate the matter, understand how it occurred and determine the full extent of the damage caused. After the investigation is completed, external partners and suppliers whose data may have been exposed must be informed. Transparency is key in these situations – impacted third parties, customers and employees must understand the scope of the breach so that they can also respond accordingly.
Tip #5: Put systems in place to reinforce and improve prevention
The aftermath of a breach is an ideal time to conduct follow-up security and privacy audits. With the wisdom (and scars) of experience comes the opportunity to mitigate the possibility of being similarly exploited in the future. This step helps identify any remaining gaps in security systems and procedures.
Putting proper privacy and security processes in place can be a challenge even during the best of times. Doing so without the right team of experts or in the midst of an incident can be doubly so. Prevention strategies and a strong plan for what to do in the event of an incident will enable resilience and reduce the overall business impact of a breach.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.