British Airways Data Breach demonstrates how GDPR has already affected UK data breach policy of big businesses.
British Airways response to the incident has been swift, clearly their response to the incident was being managed by a data breach policy that has been structured to comply with GDPR.
Notification was made within the 72 hours required under the regulation, compare that to where we were pre-GDPR where incidents at companies such as Yahoo Equifax etc. have been covered up for months and even years.
The fact that BA appear to have detected the breach through a third party security partner may indicate that they have been taking signicant steps to ensure monitoring and detection are high on their Cyber Security agenda.
Comparatively a 15 day period between which the breach occurred and remediation was put in place is significantly better than most breaches that have reached the public record.
The average time between breach and remediation is measured in months and sometimes even years, statistically 6 months seems to be the norm, but how many go undetected or un-reported.
How a planned response to a data breach is the key to dealing with a data leak incident.
From BA’s point of view they have dealt with the incident in a manner that suggests they had a protocol (data breach policy) in place to deal with the Data Breach contingency. Although from a PR point of view a breach is always going to have a negative impact and as in the case of BA, provide ammunition for the companies critics.
As a result of having a data breach policy in place, BA have been able to keep some control of the story as it unfolded.
The fact they were capable of detecting a breach, instead of as is unfortunately all to common, dealing with the breach as the story unfolds; TalkTalk are possibly the best example of a major company fumbling the media ball when confronted with a data-breach.
The breach allegedly perpetrated by Magecart the same group who were behind the infiltration of Ticket Master, a description of how it was accomplished can be found on the theregister.co.uk website.
So what can the average CEO or business owner learn from the crisis at BA.
I would suggest that you begin by imagining that you have become aware of a possible breach and evaluate your Data Breach Policy accordingly.
As the BA reaction to having been breached, having worked out your reaction to a data breach scenario in advance and rehearsed the various scenarios is key to the success of your Data Breach Policy.
Central to which are the following:
Detection – The ability as in the case of BA to determine a Breach has occurred before the lynching party arrives and informs you of a breach.
The Role of The Data Protection Officer – (A key plank to any Data Breach Policy).
Evaluation & Investigation – What has been lost, what is the scope of the Breach.
Notification – As soon as you are aware that the probability is information that includes personal data has been leaked the 72 hour clock begins ticking.
Remediation – A considered approach will serve you better than knee jerk or scatter gun.
Creating your Data Breach Policy
Tamite Secure IT have created a White Paper on how to creating your Data Breach Policy, in addition we will be announcing dates for our Creating a Data Breach Policy workshops very shortly. Please contact us for details.
As BA, Butlins, Equifax, Stena Line and many businesses across the UK have found Defending your network against a breach is difficult, so now you need to move beyond protection and understand how you can implement a strategy for detection.
All companies should be asking themselves the questions how do we know if we have been breached? How would we react if it happens? Can we learn from BA?
Tamite Secure IT provide IT Security Strategies to protect you from breaches and remediation should the worst-case scenario become a reality.
Please contact us for access to our Template – Data Breach Policy
Contact us to discuss how we can help to make your business, whatever the size more secure and able to deal with the Cyber Threat.