Post Blog: Defending a breach

Cyber crime

How can a company successfully combat a data breach? Paul Bantick and Tracey Stretton explain.

Data breaches can severely wound a company and have become a major boardroom concern. Last year's data breach at Sony will apparently cost the company at least $5.6bn.

Investigating the incident, notifying and supporting those whose data has been compromised, and potentially paying for fines or lawsuits, can all be costly.

But the greatest loss can be to a company's reputation. There are serious consequences if personal or corporate data falls into the wrong hands, and even long-time and dedicated customers can be driven away if a breach is not handled properly.

A profitable market has grown up around the collection and resale of stolen data. It is surprisingly familiar in many regards.

The sellers are competing with one another on price, volumes and quality of their products and we've seen everything from volume discounts to special sales: ‘This week only buy 1000 bank records and get 1000 free drivers licence records.'

The UK's Information Commissioner's Office is able to fine companies up to £500 000 for serious breaches of the Data Protection Act. These might include losing financial data that subjects an individual to identity fraud or loss of sensitive personal medical data that causes worry and anxiety.

Regulatory scrutiny of data breaches is currently intensifying in Europe, following the example set in the US.

An EU regulation, which may come into force as early as 2014, threatens draconian fines of up to 2% of worldwide turnover for firms that fail to provide timely notification to customers who suffer financial loss as a result of a data breach.

A key element in the successful response to a data breach is coordination of the range of expert services a company needs to minimise its losses and protect its reputation in the eyes of customers.

The company will need instant access to high quality forensic, legal, credit monitoring and/or identity theft protection services, and sound PR advice.

Can the media blow things out of proportion? Sure, but companies that have suffered a data breach often shoot themselves in the foot when responding.

Some try to keep the data breach a secret, acting as if they believed that hiding the truth would make it go away. Others try to get away with doing as little as possible.

Too many companies that believe they have suffered a data breach are being advised to immediately notify their customers and relevant government agencies.

Every data breach law provides a short period from a few days to several weeks during which an investigation can be carried out.

It is essential for a victim company to understand exactly what has happened and what data, if any, has actually been compromised. Failing to do so can result in a company spending millions to remediate a breach that never occurred.

When it comes to investigating a breach, first steps involve working out whether the breach was initiated internally or externally, whether the source of the attack is identifiable and if it is still on-going. Limiting a live intrusion to protect data is also essential.

Organisations can do a number of things to prevent incidents occurring and to mitigate risks to their business.

Data should not be stored if it's not needed for a specific, definable and real business process, and should not be kept for longer than it has value unless required to do so by law or regulation. The simple message here is: ‘They can't steal what you don't have.'

Companies should also set ‘need-to-know' limits to determine who can access what data. Security patches should be rapidly applied, to close security holes that would otherwise exist in your systems. Intrusion detection and prevention systems should also be used to detect and prevent data leakage.

It is also important to test your systems regularly with penetration tests that attempt to breach your security and by running vulnerability scanners to identify unpatched machines, servers that haven't undergone appropriate security hardening, and rogue wireless communications.

When it comes to a data breach, companies have a lot to lose: data, time, money, customers and credibility. The stakes are getting higher as data protection and notification laws tighten.

A data breach is not the place to learn crisis management. We're encouraging companies to develop and test data breach incident response plans so that they know, and have practiced, what to do if an incident happens.

Paul Bantick is head of technology, media and business services at Beazley, and Tracey Stretton is a legal consultant at Kroll Ontrack.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@postonline.co.uk or view our subscription options here: http://subscriptions.postonline.co.uk/subscribe

You are currently unable to copy this content. Please contact info@postonline.co.uk to find out more.

Was 2024 the ‘Year of Reality Check’ for insurtechs?

Content Director's View: With territorial withdrawals and scaling back on products, Jonathan Swift asks whether 2024 represented the year the UK insurtech space got a reality check; and mulls whether a second Summer of Insurtech could soon be around the corner.

Q&A: Lauren France, DWF Law

After being named Unsung Hero of the Year at the British Insurance Awards 2024, DWF's specialist manager and deputy head of organised fraud Lauren France talks about the work being done to combat fraud, what threats are on the horizon, and how new injuries are cropping up in personal injury claims.

Making sure Father Christmas is covered

Insurance Post editor Emma Ann Hughes has made a list of Santa Claus’s risks and got the insurance industry’s leading lights to check it twice in order to recommend products plus services for the man tasked with delivering a holly, jolly Christmas this year.

Insurtech Review of the Year 2024

2024 was a busy year for insurtechs as insurers looked to make the most of artificial intelligence plus data analytics, but sector leaders reckon the industry will push the boundaries of digital transformation even further in 2025.

ManyPets co-founder joins Bikmo as chair

Cycle insurer Bikmo has appointed Steven Mendel, co-founder of ManyPets and former CEO of its parent company ManyGroup as chair, subject to approval from the Financial Conduct Authority.

Q&A: Venkat Sathyamurthy, Tractable AI

Venkat Sathyamurthy, newly appointed CEO of Tractable AI, discusses his journey to the top of the insurtech and his plans for the company’s next stage of artificial intelligence focused growth.

Most read articles loading...

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here