We talk a lot about how to protect ourselves from cyber attacks, and we see a lot of data breaches in the media each week, but what actually happens if you suffer a data breach yourself? Steve Dymond has been through this first hand, and he can tell you it’s not something you should put on your bucket list.
I’m based in Australia and we have some fairly strict privacy laws, but NZ is updating their laws this December to something quite similar, so the experiences will be much the same. The first thing that will probably happen in a business is that someone will spot something unusual, or perhaps an IT vendor picks up an irregularity, or everyone walks into work and finds they can’t access anything because it’s been locked or encrypted and a nice ransom note has been left behind.
Ransomware was a big deal for a while, then seemed to fade away, but it’s back with a vengeance. Instead of simply encrypting files straight away, hackers are infiltrating networks and finding the backups, then encrypting those first. So, when the IT department says ‘don’t worry everyone, we’ve got backups!’ they are, of course, in for a real surprise when they go to restore their files. This is probably why so many ransoms are being paid at the moment.
Once you know you’ve had a data breach, the first step is trying to stop the attack, or prevent further damage. This depends on what’s occurred – if someone’s emails have been compromised, it should be easy enough to change passwords and log anyone out of that account. If, however, all your files have been encrypted, you’re in a world of pain.
The first step was the easy bit. The long hours are still ahead of you. Now you have to find out the extent of the breach, i.e. literally work out exactly which clients might have had their data exposed to the hackers, and then work out exactly what kind of data might have been exposed. If someone has my name and email, I’d call that an inconvenience. If they have my date of birth, address and a copy of my driver’s licence, that’s a problem. You’ll need to trawl through all your records to identify this for each client.
Some data breaches have to be reported to the authorities – there’s a checklist to determine if that’s the case or not, typically including whether or not there is a chance of ‘serious harm’ to any of your clients. Preparing this submission will take you a few days.
Now you have to go through the clean-up. Which clients should you notify about the breach? What advice should you offer them if private and sensitive data has been exposed to hackers? How will it affect your reputation? That last question is probably the most important of them all – loss of reputation following a cyber attack is a big deal – can your customers trust you with their data?
The final phase is remediating the blind spots that led to the attack in the first place. Is better security software required? Was it a human error, or an internal process that needs to be re-engineered? Or all of the above? Typically, we see the right mix of technology, people and processes can build and effective defence against an attack.
As you can see, having an actual data breach can take up a lot of time and money. If you have thousands of clients affected, and have to go through each record to find out what was or was not exposed, you’re in for a long exercise.
That’s why cyber insurance can be important – at least you can outsource some of this work and have your insurer pay for it. Talk to a decent broker if you don’t have cyber insurance and make sure you are constantly looking to identify your blind spots in terms of cyber resilience. The attacks are evolving all the time – we need to do the same.
General Advice Warning
The information provided is to be regarded as general advice. Whilst we may have collected risk information, your personal objectives, needs or financial situations were not taken into account when preparing this information. We recommend that you consider the suitability of this general advice, in respect of your objectives, financial situation and needs before acting on it. You should obtain and consider the relevant product disclosure statement before making any decision to purchase this financial product.