Crisis Response: Your IT Department Is Not Alone in Needing to Prepare for a Breach

Any IT department can find one example after another of corporate data breaches and losses. And although the names you've heard most frequently have been larger companies, middle market companies are tempting targets for criminals. Because their resources are fewer and defenses not as sophisticated, they can make easy victims.

To put that into perspective, companies with up to 500 employees made up a large portion of cyberattack victims. Executives also often treat security as something nice but not critical, putting the businesses at even more risk. There's a good chance that your company could be electronically attacked and that important data might be stolen or exposed to public view. What you do after the fact is critical.

Prepare in advance

A critical step in response to a data breach is preparation. You need a plan to respond in an orderly and effective way to a breach. Such a plan should indicate the necessary steps, name the internal personnel who will be on the internal response team and the nature of their roles, and list resources available for the response.

Part of the preparation involves legal issues. Depending on your industry, the geographic regions in which you operate, and the nature of the breach, there may be specific laws and regulations governing what you must do. They might involve consumer data and financial reporting responsibilities. There could also be responsibilities to industries, like the Payment Card Industry, a trade group that governs use of payment cards.

Keep in mind that a breach might affect many parts of the company, including the legal department, customer service, order processing, IT, marketing, and finance.

Get the story straight, quickly

The minute you have an indication of a breach, it's time to move into high gear. Read the stories of recent major breaches and you'll learn that the biggest problem was a delay in fully addressing the situation. You want to preserve evidence, notify law enforcement, understand the extent of the breach, identify when it first started, and be certain the types of information that were lost, as well as know how easily any of it could be unencrypted or it is was stored in plain form.

Call in expert help

Large companies rarely have the full range of technical, legal, communications, and other experience and resources to address a breach by themselves. A middle market company is at even more of a disadvantage. In some cases, a usual advisor like a law firm might have the knowledge to fully address the circumstances. Or you might need additional help from firms that have greater expertise in such areas as privacy law and computer forensics. There may even be a need for such specialists as data counseling services for customers and firms that can put together the necessary mass communications to consumers or handle press inquiries. Crisis response is about to become an important part of daily activity.

Communicate with those affected

Communicating with customers, the press, and investors will be an extensive part of the response. Take responsibility and don't waste time trying to blame someone or something. In the eyes of everyone, you're at fault because you're the ones who were trusted with the data. Communications also has to go beyond mass mailings or press releases. When someone affected has a question, have people to respond in a knowledgable and efficient way. There may be thousands or even millions of people who are rightfully worried and need to make plans of their own.

Make things right

You can't return everything to its initial state, because Pandora's box has been opened. What you can do is everything possible to help people regain their peace of mind and finally to rebuild trust. Make sure the same problem cannot happen again and let customers know of your progress. That means better handling security in the future. It isn't just the job for the IT department. It's the responsibility of everyone, particularly on the management team.

Erik Sherman is an NCMM contributor and author whose work has appeared in such publications as The Wall Street Journal, The New York Times Magazine, Newsweek, the Financial Times, Chief Executive, Inc., and Fortune. He also blogs for CBS MoneyWatch. Sherman has extensive experience in corporate communications consulting and is the author or co-author of 10 books. Follow him on Twitter.