How a CIO should deal with aftermath of a data breach

The 5.30am electronic rumble of a BlackBerry set to vibrate. The sound no CIO wants to hear at that hour as it can only mean bad news.

The chief security officer apologises for waking you but she is clearly agitated. She has just been woken herself by the security consultants you called in to carry out a data audit. The team pulled a late shift last night and discovered some anomalies in the main customer database. The CSO is doing a poor job of covering her panic as she stumbles out with: "It might be nothing". But you both know that you wouldn't be having this conversation now if that's what she really felt.

Despite the security breach at HM Revenue and Customs (HMRC) in November last year, it seems that many companies are still failing to heed the lessons learned from the incident. The Information Commissioner's Office (ICO) has been notified of almost 100 data breaches by public, private and third sector organisations since HMRC. "Data is the lifeblood of many organisations but it is not often looked after very well," says CIO Peter Birley of law firm Browne Jacobsen on his personal CIO Blog. Recent high-profile breaches include the loss of the personal details of around 5000 prison officers in September this year and allegations of a significant data loss at US hotel chain Best Western.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The 5.30am electronic rumble of a BlackBerry set to vibrate. The sound no CIO wants to hear at that hour as it can only mean bad news.

The chief security officer apologises for waking you but she is clearly agitated. She has just been woken herself by the security consultants you called in to carry out a data audit. The team pulled a late shift last night and discovered some anomalies in the main customer database. The CSO is doing a poor job of covering her panic as she stumbles out with: "It might be nothing". But you both know that you wouldn't be having this conversation now if that's what she really felt.

Despite the security breach at HM Revenue and Customs (HMRC) in November last year, it seems that many companies are still failing to heed the lessons learned from the incident. The Information Commissioner's Office (ICO) has been notified of almost 100 data breaches by public, private and third sector organisations since HMRC. "Data is the lifeblood of many organisations but it is not often looked after very well," says CIO Peter Birley of law firm Browne Jacobsen on his personal CIO Blog. Recent high-profile breaches include the loss of the personal details of around 5000 prison officers in September this year and allegations of a significant data loss at US hotel chain Best Western.

While the organisation itself claims it only affected a handful of customers, what ever the real number, Best Western has suffered damage to its brand as a result. And this is damage that other firms could well face if they don't take the necessary preventative steps to secure data and react in the right way if the event of a breach.

Firstly, don't panic. "People immediately start to think the world is about to end -- all kinds of scenarios are played out in people's minds. These thoughts are crippling and will get worse the longer they fester, so ditch them and get on with the job. The reality is a professional and energetic approach will do more to protect you than hiding in a corner," says Peter Chada, director of the Technology Advisory Service for financial services specialist BDO Stoy Hayward.

The golden first hour

In the first hour after a security breach it is vital to make an assessment of the damage the data could cause, experts say. For example, that means thinking about who would be interested in that data and what effect it might have on not just the individuals concerned but also other effects. For example, in the recent incident at the Prison Service, the safety of prison officers' families who may have been targeted if the data fell into the hands of criminals.

"What would you do in the golden hour after discovering a data breach?," asks Geoff Donson, former High-Tech Crime Unit detective and now security manager for datacentre host TelecityGroup.

"Well for me, I would definitely want to know what the data was because you are going to want to know what collateral damage you have got. Does it help you to get the data back? Probably not, but it might as the nature of the data might determine who was interested in it. You would want to know what private data was included. Was it names, was it addresses, was it bank account details?"