The impossibility to avoid the sharing of data has given rise to the concern of data breaches. Insurance companies, governments, etc. require your private data to extend their services to you, and to avoid sharing data with them would mean to live an isolated, hermetic, and even illegal life with no social support or legal status whatsoever. If privacy is your concern (there is no reason why it should not be), a more appropriate option is to be on watch and adopt safe practices while surfing the internet.
Understanding data breaches
Before we dive into the details, what is a data breach? A data breach is not always the stealing of data through sophisticated hacking techniques from organizations that you have directly entrusted your data with like retailers or the ones who have acquired it secondarily like marketing companies. A data breach occurs when your private data becomes accessible to any third party without your explicit consent. In such cases, it is not necessarily clear if anyone has stolen it.
The common assumption is that as long as there are no tell-tale signs like the opening of digital accounts in one’s name, losing money, etc. in the aftermath of a supposed breach, all is well. Unfortunately, nothing could be further from the truth. Hackers do not go on a stealing spree after acquiring the trove of user credentials. They often manage to remain under the radar for very long periods of time and act as a shadow hand meddling in your affairs for years, sometimes decades. Sounds like a horror story? It is!
Data breach for organizations
Though companies get smarter with securing information, phishers tend to be very persistent with their attacks, and while technology may not be easy to fool, most of the people are. The phenomenal rise in data leaks over the past decade bears witness to the fact that companies might not be doing enough. While it is a huge undertaking to secure a company’s networks, and it takes both time and money to erect an appropriate security infrastructure, most of the companies have not even started in the right direction. As the instances of data leaks have ramped up, and the subsequent user backlash over it has grown more severe, companies are now beginning to pay heed to the classic security doctrines. However, decades of collective inaction have resulted in a security deficit that is going to take significant time and money to make up for. Though it may be a hard pill to swallow for most, digital security is an area that demands continuous investment.
Examples of major data leaks
Following major examples of data leaks from the current year does well to communicate the widespread impact of a single data breach.
- A LinkedIn breach this year resulted in the publishing of data scraped from 500 million LinkedIn profiles on a popular hacker forum for sale
- Private data of 533 million people in 106 countries from Facebook was published on a hacking forum in April this year
Addressing a data breach
Experts lay down the following steps which should be taken by affected companies and individuals in the aftermath of a data breach.
The worst thing a company might do following a data breach is brushed it under the carpet. Communication in this event can be difficult but is also the only responsible thing to do. It involves appraising employees and engaging everyone who may prove helpful i.e. tech specialists, client service managers, PR & communication teams, forensics teams, etc. You may even want to interview to the profile press in which case it is recommended that you give a comprehensive brief on how the event took place, accept responsibility if it’s the company’s fault, lay down mitigation measures, educate people on how to brace themselves, and engage clients, industry analysts and the general public in a productive discussion to arrive at the actual cause of the problem so that it can be sincerely eliminated.
Understand the root cause
Once you communicate the event internally and externally, the next big step is to identify and understand what happened and start taking action to prevent it in the future. Forensics play a great role in this regard as they can analyze traffic and instantly determine the root cause of an event thus eliminating the need for ineffective guesswork. Effective forensics capture data, perform network recording, comb through historical traffic for anomalies and report with reasonable accuracy what might have gone wrong.
Move to a proactive security model
It is simpler than it seems. Many organizations fail to meet the most basic and standard security protocols. For example, firewalls can prevent future attacks but cannot block malware that has crept onto the endpoints within an organization. A multi-layered strategy provides the best solution against such threats. However, there is a likelihood that proactive technologies like that will cost worker productivity unless solutions like sandboxing are adopted in which web browser threats are handled at the backend whereas employees can work freely without interruption.
Research your state’s laws
You should read up on your state’s laws to ensure that your response is compliant with the relevant laws. For example, some states require notification of a breach to the victims or a government agency. You might want to check if your breach falls under the purview of any such law. If yes, notify the relevant agencies and victims accordingly.
Report ID theft and get a personalized recovery plan
If you are a victim of a data breach, report your identity theft to FTC which will customize a recovery plan for you and then walk you through it. This involves tracking your progress and pre-filling paperwork for you.
No one wants to have their private data stolen but if such an event happens, after all, one should be ready to face it. If you forget about closing the door after the horse has bolted out, and focus instead on important things listed above, you will be able to mitigate the impact and soften the blow a bit for yourself.