Data breach investigations ‘should focus on business impact’
When a company suffers a data breach, the subsequent investigations tend to focus on the attacker and what motivated them.
However, Raj Samani, chief scientist and fellow at McAfee has told Computer Weekly that there should be more focus on the resulting impact on the business.
He pointed to the recent Equifax breach – in which up to 145.5 million consumers may have had their personal data exposed in a hack of the credit rating firm – as an example.
According to Mr Samani, it is “remarkable because of the impact that it has had, not only on the Equifax business itself, but on the company’s executives,” many of whom have resigned since the breach became public, including the chief information officer, chief security officer and chief executive officer.
He explained that this shows more attention is “being paid to the business impact”. However, he added that one of the reasons this is not seen earlier is that “it takes time for the full impact to be understood and come to the fore”.
The effect of a data breach on a business can be devastating. A recent report by global advisory firm Oxford Economics and IT and business process services firm CGI found that cyber attacks on FTSE 100 firms lead to losses of 1.8 per cent of the share price, or £120 million on average.
Mr Samani said that roughly 1.9 billion records will have been leaked or stolen in the first half of 2017 – more than in the whole of 2016. He told Computer Weekly that this means 1.9 billion “people’s lives have been affected” by their data being exposed, and potentially in the hands of someone with malicious intentions.
This will undoubtedly have a major impact on companies, with customers losing trust and then choosing not to continue doing any sort of business with them. Therefore, Mr Samani said, businesses have “remarkable” opportunities to identify those individuals who can help to drive innovation in security strategy. He added that businesses should look at ways of returning value.
He said that organisations should focus on three factors: transparency, informed consent and value. He explained that customers will be more likely to be willing to share their information if businesses can inform them of what they will be doing with any data collected and demonstrate the value they will offer.
Transparency is not just recommended to businesses before a breach – consultants advise companies to be open about an attack after the fact. A cover up will create more distrust among customers, while reducing the amount of time they have to put any contingency plans into action.
The effect of a data breach on a business can be immense. It therefore makes sense for the resulting focus to be on that impact in order to give companies the best chance of helping their customers through.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.