Data Breaches are Inevitable. How you Prepare Matters.

You cannot protect your business from a data breach. You can only prepare for it.

Given enough time, the odds that your business will be the victim of some form of data breach are 100%.

As the only Payment Card Industry (PCI) Qualified Security Assessor (QSA) in Southeastern Virginia (and one of only four in the Commonwealth), Sera-Brynn routinely investigates the causes and after-effects of data breaches.

In many cases we work closely with local and Federal law enforcement to determine the origin and possible future proliferation of a particular cyber threat.

The damages can be staggering – in Virginia, the Commonwealth’s Attorney can fine a business up to $150,000 for not following post-breach consumer notification procedures. In 2013, the average plaintiff’s award for negligent compromise of customers’ information was $2,500 per record.

If your business loses the personal information of 1,000 customers, could you afford a $2.5M judgment? That’s in addition to fines from the Federal government, breach investigation, data recovery, and clean-up.

As a QSA, Sera-Brynn is a certified auditor of Payment Card Industry standards on behalf of Visa, MasterCard, American Express, and Discover. In addition to our PCI audit responsibilities, we have two main roles: to help businesses prepare themselves so they are NOT subject to fines, fees, and litigation after a breach, and to investigate on behalf of the card brands after a breach. We prefer the former.

It seems hopeless, so do you just take your chances and play defense?

If that’s your strategy, you have to be right 100% of the time, an attacker only has to be right once.

It’s difficult to know what tools you should choose to protect your business, whether to manage security in-house or outsource, and how much is reasonable to spend on preparing for a data breach. Risk Management prioritizes assets that support critical business processes and identifies resources necessary to minimize the risk.

Some businesses are willing and able to accept more risk than others. Sera-Brynn’s Cyber Risk Management addresses three pillars: Compliance, Insurance, and Response.

Of the three pillars, Compliance is the most important to mitigate risk. Whether the compliance requirements are industry or government mandated, a good faith effort to comply is the strongest firewall against fines and litigation following a data breach. Whether your business must comply with PCI, HIPAA, FISMA, NIST, GLBA, SOX or others, failure to address regulations will result in costly fines, remediation fees, and litigation.

The second pillar of Cyber Risk Management is Insurance. Cyber liability policy sales are increasing, but many businesses haven’t purchased the right coverage. Depending on your accepted level of risk, consider a policy that includes crisis management, consumer notification, legal fees, and incident response – and make sure you understand the exclusions.

In over half of the incident response events we’ve investigated, the business was denied coverage due to specific exclusions in their policies.

Unless the broker and the policy holder understand the details, the policy may not be worth the paper it’s written on. Enlist the help of your legal team, technology team, and risk managers when reviewing cyber liability coverage. In almost every case, compliance with applicable cyber security requirements will be mandatory!

The final pillar is Response. In the event of a breach, staying ahead of the crisis is key. Most compliance standards require a response plan that addresses data backup, continuous monitoring, notification guidelines, and checklist procedures. A plan that is well thought out will significantly limit the economic and reputational damage to your business.

The good news is that addressing the three pillars is relatively inexpensive before a breach, but they must be addressed now. As the veracity, complexity and frequency of cyber attacks increase (with no hint of slowing down anytime soon), it is more important than ever for businesses to take the proactive steps today to limit the potential damages from a data breach tomorrow.