Is your small business ready to face a data breach once it occurs?
Whether its large or small, preparing for an incident can be challenging, especially for growing businesses. According to Accenture, more than half of small and mid-size businesses have experienced a data breach in the past year. However, at the same time, Keeper Security’s 2019 SMB Cybersecurity Study reveals that 66% of senior decision-makers at small businesses still believe they’re less likely to be targeted by online criminals, and 60% have yet to establish a defense plan.
Growing businesses have been under the impression that they are too small, too new, or too unappealing to be targeted. However, they should develop an incident response plan to identify and respond to privacy and security incidents that could place their data at risk.
In this three-part blog series, we’ll cover basic terminology, breach notification laws you should know, and tips and best practices for building an incident response plan.
Register for the Webinar: How to Build Your Incident Response Plan on June 11th, 2020 at 1pm ET / 10am PT
Incident vs. Breach
There are various types of incidents and breaches that SMBs should be aware of.
According to the Cybersecurity and Infrastructure Security Agency (CISA), an incident is an act that violates an “explicit or implied security policy,” as stated by the NIST Special Publication 800-61. Incidents are categorized into two groups – privacy or security.
Privacy Incident. As defined by The Department of Homeland Security, a privacy incident is “a suspected or confirmed incident involving personally identifiable information” that has occurred as a result of non-compliance with the privacy policy and procedures of the DHS.
Security Incident. A security incident is an event that places sensitive data, both regulated and unregulated, at risk of unauthorized access and exposure. This type of incident may actually, or potentially, jeopardize the confidentiality, integrity, or availability of information.
A breach, on the other hand, is a subset of an incident, but even more so, it’s a consequence. Breaches are categorized into two types – a security breach and a personal data breach.
Security Breach. A security breach occurs when the result of a security incident falls within the information security “CIA” (confidentiality, integrity, and availability) triad. However, based on the jurisdiction, this definition can vary.
The CIA triad breaks down into three groups:
- A confidentiality breach, which results in unauthorized or accidental disclosure of, or access to personal data.
- An integrity breach involves unauthorized or accidental alteration of personal data.
- An availability breach, where there is unauthorized access to, loss of, or destruction of personal data.
When personally identifiable information (PII) is involved, these also qualify as a personal data breach.
Personal Data Breach. A personal data breach is a subset of a security breach and occurs when personal information/personal data is involved. There are always certain nuances to the definition, based on what is considered personal information in each jurisdiction. Under Article 4 of the General Data Protection Regulation (GDPR), a personal data breach is “a breach of security leading to the accidental or lawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”
Understanding the risks of each event can help to minimize its impact on personal data.
What is an Incident Response Plan?
For every incident, there is an incident response plan. According to the GDPR, this plan outlines:
- What defines a breach to your organization
- The roles and responsibilities of the security team
- Tools in place to manage a breach
- Incident Response Playbook – Instructions on how to address, investigate, and communicate incidents
- Notification requirements following a data breach
Although security and process gaps may be revealed during development, this set of instructions will help to guide privacy and security teams on how to detect, respond to, and mitigate incidents that place personal data at risk. While not every attack can be prevented, an incident response plan should enable any SMB to recover quickly and should help the organization meet compliance requirements after a breach.
Register for the Webinar: How to Build Your Incident Response Plan on June 11th, 2020 at 1pm ET / 10am PT
Who is Responsible for the Incident Response Plan?
In contrast to large enterprises, small businesses don’t always have the budget to hire a dedicated IT and Security Team. Ultimately, small business owners will be responsible for developing their incident response plan, but with a process so overwhelming, hiring an expert or starting with a pre-built workflow template can surely help.
Why Do Small Businesses Need an Incident Response Plan?
SMBs are particularly vulnerable and often targeted for security threats due to inadequate security measures and an overall lack of personal data protection. However, small business owners shouldn’t wait for a disaster to strike before they start building a plan.
According to the Cyber Security Breaches Survey 2019 conducted by the Office of National Statistics of the UK, 31% of small businesses have identified cybersecurity breaches or attacks in the past year, and only 15% have developed a formal cyber incident management process. With an incident response plan, SMBs have a clear set of guidelines to save time when deciding what to do when a breach occurs. These guidelines not only help to avoid missteps during mitigation and recovery but will also minimize damages to cost and reputation, which could take years of recovery.
Now that you understand the terminologies, it’s time to get familiar with some of the privacy and breach notification requirements. Check out part 2 of the series, A Beginner’s Guide to Incident Response: Everything You Need to Know.
Share this Article
