The Data Breach Checklist Your Clients (Hopefully) Never Need
If your client has a cloud-based file sharing designed specifically for business use, they probably won't need this checklist. For all others, this checklist should serve as a wake-up call.
October 21, 2013
By Michael Brown 1
“Nobody would ever want to steal our data. Why would anyone do such a thing?” Famous last words! These days, data breaches are occurring at a dizzying pace and no one seems to be immune – from the federal government right down to the smallest of small business.
As an MSP, you’ve strongly recommended a number of safeguards to ensure that their private data remains private – notably through cloud-based file sharing. But as you know, not all of your recommendations are acted on. So for those clients who still don’t see the need for a business-class file sharing solution with strong safeguards (e.g. end-to-end encryption), here’s a trick that might help.
Below is a very basic checklist – and we do mean basic – of certain tasks that will need to be completed in the event of a data breach. Hopefully, by reading this, it convinces them to invest in a secure option for sharing files between employees and third parties (or at least make them think twice about it). Let’s take a look at some of the tasks:
Investigate, identify and fix: A general rule of thumb in security is that if it can be breached, it will be breached – and it will continue to be compromised until it’s fixed. Worse yet, this process tends to uncover additional security gaps, which will require additional resources. During this step, someone will have to document the incident in great detail: who discovered the breach, when did it happen, how much data was compromised and what type of data was it? This will require several lengthy interviews and weeks of investigation. Have fun with that.
Inform the external authorities: When their data has been stolen or compromised, they’ll need to alert various levels of law enforcement (FBI, secret service, etc.) as well as their legal counsel. If the company has a PR/crisis management team, this is their time to shine.
Inform internal authorities: The company will need to hold several meetings with the internal stakeholders directly affected by the breach. This would likely include finance and accounting, HR, IT (i.e. you) and the entire upper management team – not a very valuable use of anyone’s time.
Inform the end users: Sorry, but if data was compromised, it’s best that the customer hears it from you first. Aside from the written communications, they’ll also need to bring their customer support team up to speed on the issue so they can address a potentially huge spike in inquiries.
Depending on the industry, the data breach checklist will vary in terms of exact tasks, but these are pretty much universal. You’ve got to find it and you've got t fix it – and you’ve got to let a number of parties know all the messy details.
The real point here is that data breaches redirect resources away from productive endeavors. So if you’ve tried everything and still can’t convince your client to ditch the file-sharing solution intended for the consumer, maybe this will do the trick.
You May Also Like