An ounce of prevention is worth a pound of a cure is a phrase often applied to data security at creditor firms and debt collection companies. Every organization in recovery and collections says they have robust data and cybersecurity policies and procedures in place to mitigate risks. Some of them actually do. But those safeguards cannot prevent a data breach. Businesses should be asking themselves not if, but when.
Don't get hung up on prevention! No one in recovery and collections can assume that strong cybersecurity can prevent a data breach. Companies need to plan for response, too, says Michael Orefice, Business Practice & IT Leader at Bridgeforce.
“I’d like to get rid of the word 'if,' and accept the fact that when it happens, I am adequately prepared to deal with [a data breach],” Orefice adds.
Is your organization prepared to handle a data breach? Here are three ways to prepare for the increasingly inevitable.
1. Monitor for Breaches
The first step to an effective response to a data breach is detection, and early detection is critical. Building out an internal security team is one option, and it’s the approach Drew Marston and the team at Resurgent Capital Services took to data security. The team includes an ethical certified hacker, who is always looking for vulnerabilities at Resurgent and their partners.
If your organization is using AWS or another cloud-based solution, that’s good news, too, argues Marston. “Those guys [at AWS, Azure etc.] are even better [than an internal team] because they never sleep…no one is going to beat the cloud services when it comes to monitoring.” That’s key for smaller teams who can’t afford an internal security team.
Automating the security processes will give you the best opportunity to get ahead of a breach, which will allow you to quickly move to the next step in the process…
2. Make the Necessary Fixes
“If you can isolate the scope of an attack, you can recover quickly,” says Paul Hurlocker, CTO at Spring Oaks Capital.
Taking all equipment offline immediately may be required, and you will need to closely monitor the entry and exit points of data, especially where the breach occurred. The FTC’s guide to data breach responses also notes that until affected credentials are updated, your system will remain vulnerable.
If your breach involves a service provider, make sure that service provider is taking steps to remedy vulnerabilities, and then verify that they’ve actually executed on those steps. If your breach was internal in nature, interview the person or people who discovered the breach, engage with a forensic expert, and don’t destroy any evidence.
Once you’ve contained and isolated the beach, the next step is to notify the necessary parties.
3. Effective Breach Disclosures
It’s critical to have an effective breach disclosure policy in order to avoid potential legal and reputational risk. Breaches should also be reported to law enforcement immediately, regardless of the type of breach. Affected consumers should also be notified, even in instances where it is not obvious that a disclosure is required by law, for instance, where personal information is not involved, in order to avoid violating Section 5 of the FTC Act.
The FTC advises organizations to create breach disclosures that are straightforward, helpful, and that are effective for all audiences, including employees, customers, investors, etc. Disclosures should also involve key details that may help affected parties protect their information.
Organizations affected by a breach should also anticipate questions people may have about the breach, and attempt to answer them in a public format, such as on their website.
As the FTC notes, “good communication up front can limit customers’ concern and frustration, saving your company time and money later.”
So, given the likelihood that your company is at-risk for a data breach, it’s time to get prepared so that when it happens, you can detect, contain, and respond quickly.
Ready for a deep dive into data stewardship and security? Jump into the 3-part iA Strategy & Tech data stewardship on-demand webinar series here: