Towards the end of last year, as you may remember, a huge data breach at Marriott International was uncovered. In 2014, hackers got into the Starwood hotel reservation system (later taken over by Marriott International) and over a 4-year period stole the data of up to 500 million hotel guests. It’s the second biggest data breach to date, yet even that doesn’t come close to the scale of the attack on Yahoo in 2013 when 3 billion records were stolen.
These are the sort of attacks we’re getting used to reading about, but not all successful breaches make the news. Organisations worldwide are under constant threat; breaches are happening every single day and we are regularly approached by the companies who’ve fallen victim to them.
You might think they’ve missed the boat by asking us for help afterwards. And, of course, they wish they’d contacted us before. But there are still several good reasons for working with us after a breach has occurred.
3 key reasons companies come to us after a breach
So here are just 3 of the key reasons companies come to us after a breach:
1. To reduce their fine
In 2018, Uber was hit with the biggest data breach fine to date ($148 million) following the breach in 2016. Under GDPR, you can be fined up to €10 million or 2% of global turnover, or up to €20 million or 4% of global turnover, depending on the type of infringement and the effectiveness of your response.
Not all fines are in the millions and many smaller companies have received them. Earlier this year, Swedish data-analytics company Bisnode (which has a base in Poland) was fined €220,000 by UODO, Poland’s data protection authority.
Part of your obligation following a breach, as well as reporting it, is to justify your agreed outcomes with the regulator, who will take your response and how you’re planning to change your approach into account when calculating your fine.
KEY TAKEAWAY: we can help you reduce your fine after a breach.
2. To fix the issues that allowed the breach to happen
All sorts of issues, weaknesses and infringements can lead to a breach but clearly something isn’t working. Of course there are threats companies can’t control. But some organisations make mistakes that more rigorous information security training and awareness could have prevented.
When organisations approach us for help ‘post-breach’ we usually find some key assumptions have been made about what amounts to effective education and awareness. These can be fixed and a more effective and realistic strategy for education and awareness implemented for the future.
KEY TAKEAWAY: we can assess what happened and fix the issue.
3. To commit to making long-term changes
You can’t take some headache pills and expect them to work for all time, much like there isn’t a tactic you can apply once that will protect you forever. We work in a fast-changing industry and often a breach is the wake-up call companies need. It can help them to realise that they can’t keep doing what they’ve always done (because it clearly isn’t working). Or, that running some tick-box training once a year isn’t enough.
Many of them come to us for strategic and tactical help to change their approach. We’ll work with them for up to several years providing a combination of workshops, in-house training, mentoring and consultancy to help them make long-term effective changes to their security awareness, behaviour and culture.
KEY TAKEAWAY: we can work with you strategically over the long-term.
Everything we do is underwritten by behavioural science. By understanding why people take certain actions or make certain decisions we help organisations address the human factor – the single greatest vulnerability when it comes to cyber security.
It’s better to come to us before an attack so we can assess and improve your infosec strategy, but we can help after a breach too. To talk to us about working together please get in touch to set up a call.