Cybersecurity

Data Breach Concerns: Proactive tips to ensure your company is prepared

By Ryan Bilbrey

Are data breach worries keeping you up at night? The first half of 2019 alone saw 4.1 billion records exposed in 3,813 reported data breaches, according to the 2019 MidYear QuickView Data Breach Report. Those in the construction industry may tend to shrug off the data breach fear, since most breaches target public sector entities, healthcare organizations, or the financial industry, according to Verizon’s 2019 Data Breach Investigations Report. However, dismissing that concern altogether would be a mistake. 

As companies in the public, health, and financial industries improve their data security procedures, other, less regulated industries are becoming ripe for bad actors to breach. Take the construction industry, for example. With its continued adoption of various internet-accessible technologies—from drones to augmented reality to wearables to cloud data storage—it’s now a more attractive target.

To borrow the popular mantra: “It’s not a matter of if you’ll experience a data breach, but when.”

DATA BREACH COSTS

Data breaches are expensive in many ways, with an average total cost in the U.S. of $8.19 million, according to the 2019 Cost of a Data Breach Report from IBM Security and Ponemon Institute. This is a result of many factors, including:

• The time it takes to identify and contain a data breach
• The costs to detect and manage the breach
• The size of the breach and the number of records lost or stolen
• The unexpected loss of customers
• Added costs due to system complexity, extensive cloud migration, use of mobile platforms, and use of IoT devices
• The lack of an incident response (IR) team

The IBM/Ponemon report notes that data breaches in the U.S., on average, affect 25,575 records at a cost of $242 each. Additionally, the average time to identify and contain a breach is 279 days. Speeding up that process can add even more costs. Those expenses and timeframes can be negatively impacted even further by new state regulations.

STATE REGULATIONS

Colorado, Massachusetts, New York, and most recently, California are taking the reins in protecting their citizens who are affected by a data breach. In lieu of a federal standard, these states—and others to come—are establishing guidelines and requirements to help companies recognize data threats, better prevent them, and provide proper and timely notification if a breach occurs. Together, they are defining how to handle a security breach and expanding the list of who and what data are covered. However, the rules can add additional challenges to companies both within and outside of the states that created them.

For example, Colorado has enacted a strict requirement that notification needs to be made to residents and the state attorney general within 30 days of a breach. That affects any company that may have a Colorado resident’s personal information, whether or not the company is located in Colorado. 

Sometimes a company isn’t aware what information it has until it sorts through its data. That essentially means that every company that is breached, no matter the location, needs to determine that the breach occurred, sort through what was taken, find out if it affected anyone from Colorado, and make appropriate notifications. All within 30 days. 

When compared to the average breach response time of 279 days, the time difference could be impossible—or at least, very expensive—to overcome.

MITIGATING THREATS, DAMAGES AND COSTS

Construction companies can save time and money later by making preparations now for impending data threats. Work with your IT team to craft detailed policies and procedures for what will happen in case of a cyber breach. It may also make sense to bring in a cybersecurity expert. Once you have those policies in place, back them up with the following: 

Form an incident response team. Outline who will be involved and each person’s role should a data breach occur. This team will include company leaders, IT personnel, the company’s attorney, the cyber insurance company (where applicable), and the cyber investigations company and/or a “breach coach” who can help coordinate the various phases of the process. In simple terms, those phases are: 

Phase 1: Conduct a forensic investigation of the incident. This phase involves the detailed investigation of the incident to identify root causes, verify or validate remediation performed, identify data potentially compromised or impacted, collect data as required for potential data breach notification (for phases 2 and 3), and subsequently, generate a detailed report on the findings, remediation, and testing/validation.

Phase 2: Assess data set and capture private information for affected individuals. This phase includes the evaluation, assessment, filtering, and review of compromised data sources to identify private data that was potentially exposed (e.g., Personally Identifiable Information (PII), Protected Health Information (PHI), and other private data types). Names and key data points are captured to enable the creation of a notification list.

Phase 3: Create and send notification of breach. The final phase of the project involves the creation of an individual notification list, drafting notification letters for individuals and transmitting the letters. It may also include notification to various state regulatory and/or law enforcement agencies, depending on the state of residence of the affected individuals.  

Get cyber insurance. Cybercrime isn’t typically covered by a general liability policy. A cyber insurance policy covers data theft and related expenses, including things like tech support and public relations.

Use a company to help with the PII/PHI identification process. Most breach investigative and response service providers do not perform the crucial step of identifying the individuals affected by the breach and the personal data tied to them because it’s a nuanced process that requires specialty software and data management experts. Because this effort shares a similar workflow, eDiscovery service providers are well-suited for the task. Find a Data Breach Discovery vendor that has the tools and resources to collect compromised data sources, use machine-learning technology to search the large number of files, and create a list of individuals whose personally identifiable information has been compromised. Although we haven’t seen it happen yet, we’re betting there will be a situation soon where PII will be missed in a data breach review that didn’t use the Data Breach Discovery process—and when it does happen, it could be another heavy blow to the company and the players.   

Create a crisis communications plan. Without set steps for handling a crisis, a fire drill can become a five-alarm fire. Detail everything in a plan and determine the company spokesperson and talking points. Additionally, outline how and when employees, affected individuals, and the public will be notified. Once your plan is finalized, make sure it is printed out and handy (since you may not be able to access it digitally after a data breach security incident).

Vet third party vendors. Many of the largest data breaches reported in recent years started not with the targeted company itself, but with a vendor of the company. For example, Target’s massive 2013 data breach incident started with its HVAC vendor. If any third party has access to your system or to information about your clients, they should undergo a thorough vetting process. This includes HR and payroll companies, cloud technology providers, and outside applications. Contractual agreements should outline data protection policies and indemnify your company if the vendor is affected by a breach.  

Conduct regular risk assessments. Work with a vendor to find gaps in your data security and ensure severe risks are eliminated. Make records of the findings and continually review and enhance your security measures accordingly.

Establish IT security defenses. Data breach costs can be greatly reduced when companies employ security measures such as threat detection, encryption, data loss prevention, multifactor authentication, and staying updated on threat intelligence.

Train employees. Employees should be aware of how to spot potential data threats, such as a phishing email, as well as what to do if a data breach were to occur. Regular sessions that outline the company’s policies and procedures will allow your entire team to help defend your company against potential threats.

The most important thing is for companies to be aware of and ready for data threats. I recently spoke with a company that had a data breach for which it was not prepared. The leaders didn’t know what to do or who to contact. In fact, they didn’t even know they had cyber insurance. Several days were wasted while they figured out how to proceed. All the while, their system was open, and they were losing data, time, and money.

CLOSING THOUGHT

Be proactive so that when, not if, a breach occurs, you’re ready to act. Your company, employees and customers will be glad you did.