Cybersecurity prevention efforts shouldn’t overshadow your ability to respond and recover in the event of an attack. This ebook offers advice from security experts on how to recover from a cyberattack with the least amount of damage and disruption.
From the ebook:
Suffering a data breach can be catastrophic for a company—and for the people who work there. The realization that security controls have failed and the focus will now be on investigating and remediating the situation is never pleasant, but unfortunately it’s becoming all too common as threats magnify.
Even more disconcerting is the concept of facing the “blame game” as details emerge about the breach and whether it occurred as the result of human failure. “What could we have done to prevent this?” will quickly become a mantra amidst the massive amount of work that lies ahead.
Fortunately, you can answer that question in advance by learning from the mistakes of others. Here are five ways you can plan for a breach to help avoid this catastrophe.
Know the regulations and laws in advance
Depending on the type of organization you work for, there may be regulations such as Sarbanes-Oxley (SOX), HIPAA, PCI-DSS, FISMA, and GLBA that could apply to your systems and data. Learn these and determine how you can comply with them. Often these guidelines can not only help you prevent data breaches but ensure your protection for complying with these principles if a data breach does occur.
Also make sure you know the laws applying to the states and/or countries in which your organization is based or conducts business. The United States has no federal laws dealing with notifying customers about data breaches, but most US states, as well as Washington D.C., have laws requiring companies to inform customers if their personal information has been seized.
In Europe, the General Data Protection Regulation was formulated to enhance the protection of data for individuals in the European Union and specifies how this data can be exported outside the EU. Regarding data breaches, this regulation establishes that individuals must be notified if their data is adversely impacted (unless the data has been anonymized or encrypted). Publicly traded companies are also subject to US Securities and Exchange Commission reporting guidelines regarding data theft and other crimes.