“Hardly a day goes by without data loss hitting the headlines”, explains Malcolm Marshall, Head of KPMG’s Information Security advisory team, “so there is every incentive for companies to get their house in order. With regulators and other stakeholders breathing down their necks, ensuring that businesses are prepared for every eventuality is the best way forward to limiting the damage.”
KPMG's top 10 tips for avoiding data loss are as follows:
- Build a close relationship with your regulator: Show your regulator that reasonable steps are being taken to protect against the risk of data loss. By doing this companies can avoid serious regulatory intervention and the damage within the market that this typically comes with. Steps may include: proof that incident response plans are robust and tested, that these issues are taken very seriously at the highest level of the business and that the exposure/effect will be mitigated should an incident occur.
- Plan for the worst case scenario: Ensure that investigation and crisis management capabilities are comprehensive and fast, and that reporting is set up to happen promptly and clearly. This will increase the confidence of regulators, shareholders and customers.
- Escalate, escalate, and escalate some more: Take the data loss issue to the very top of the business so that executive level ownership responsiveness, commitment and support are secured.
- Never cover-up or turn a blind eye: If an incident occurs an open and honest approach is critical. Doing this will both solve the problem and ensure that regulators know what has happened – if they are forced to intervene once the incident hits the headlines, the problem will be magnified.
- Learn from your own and others’ mistake: Businesses who have avoided a security breach limelight may simply be lucky, but more likely it is because they are almost ’paranoid’ about managing their data security and avoiding incidents. Learn lessons from good practice guidelines as well as their own – and others’ – experiences.
- Consult your lawyers: Obtain legal input so that you understand what your obligations are under the law and industry regulations. Furthermore, it is important to understand your position should an investigation, claim or other action arise.
- Reassure regulators and other stakeholders with an independent response: Using independent advisers to proactively manage risk or investigate, remediate and respond to incidents will provide an additional level of assurance to key stakeholders and help to reduce consequential damage.
- Close gaps quickly – send the criminal elsewhere: Asses your vulnerability and existing security capabilities. This can highlight weaknesses in processes, systems and controls which might make potential data thieves decide to hit an ‘easier target’.
- Prosecute where you can, seek maximum penalties: Take the strongest possible legal action against the perpetrators. Although this might cost additional money and time, as well as prolonging the situation, it may also act as a deterrent to others.
- Put yourself in your customers’ shoes: Look at data theft from the customer perspective. This can help you to take action which minimises the damage to them and retains their trust in you. Notifying all customers (including those not directly affected) early and proactively, detailing the corporate policy and action being taken, is a simple action that can make a big difference.