Many businesses have heard the message and have taken steps to beef up their policies and procedures to prevent a breach.
But many are not as prepared as they think when it comes to having a plan of action, if in spite of their best efforts, a breach does occur.
Although data security has been a problem for some time, not enough businesses have developed a response plan and they remain vulnerable.
Verizon's Data Breach Investigations Report for 2010, released in April, showed that small companies are increasingly at risk. A Verizon expert told CNET that the bad guys are exploiting people who haven't taken basic security considerations into account in the operation of their business.
Meanwhile, big breaches are still happening. A major incident made headlines in early April after a hacker gained entry into online marketer Epsilon's email system, stealing the names and emails of customers of a number of large corporate clients.
Data breaches are unpredictable and potentially costly. As with other kinds of disasters, companies should hope for the best and prepare for the worst.
Part of that preparation includes an incident response team made up of people who are trained and ready to handle an event if it happens, said Brian Lapidus, chief operating officer of fraud solutions for Kroll. In one case, he said, a client had no plan and literally had to have nurses answering phones, which compromised the organization's ability to handle the normal flow of business.
Businesses also will need a team of experts to help them deal with the legal and regulatory implications of cybersecurity.
The time to interview and hire advisers is before a breach takes place. Companies that have suffered a breach need to take immediate action, said Beth Diamond, the claims focus group leader for technology, media and business services with specialist insurer Beazley.
"You want the trail to be blazing hot," she said. "You want to know they are prepared and are able to respond that day or the next day."
A forensics team is critical because it will be able to determine how the breach happened and how many people were affected. This can have a significant impact on notification costs.
In one case, Lapidus got on a plane in Nashville to head to the site of the incident in California thinking that the breach involved 1.5 million people. "By the time I landed, the forensics team had proven that only 50,000 people's records had been compromised."
Companies will also need good legal representation. Some attorneys market themselves well, but don't really know what they are doing, "We always want to see our insureds working with attorneys who are experts, who don't have to research the law, they know it," Diamond said.
To find experts in this area, she said executives should seek recommendations from their insurer, their peers and other risk managers. Attorneys who have been speakers on the subject at conferences are also a consideration, she said.
Finally, a plan is not much good if it's not tested once in awhile. Make sure it works and that names and numbers of crucial security and mitigation contacts are updated.
Companies that have a breach response plan in place will be in a better position to defend themselves in court and with regulators and minimize notification costs.
PATRICIA VOWINKEL has worked for national media outlets for more than 20 years.
June 1, 2011
Copyright 2011© LRP Publications