Your organisation will suffer a data breach at some point – there are simply too many cyber criminals, too many vulnerabilities and too many chances for employees to make mistakes.
Investing in cyber security measures can certainly help you defend against most threats, but there’ll come a time when your best efforts aren’t enough.
You might argue that you don’t have anything worth stealing or that your organisation is too small for crooks to pay attention to, but this won’t help. Cyber criminals rarely target specific organisations. In most cases, they look for vulnerabilities wherever they’re available, meaning anyone can be a target.
It’s not all doom and gloom, though. With the right policies and processes, you can contain security incidents promptly and give data subjects time to secure their accounts. The public and regulators have come to accept that data breaches are inevitable, and unless the incident was the result of serious negligence, they will judge you primarily on your response.
How to respond to a data breach
There’s a lot more advice on how to respond to data breaches since the EU GDPR (General Data Protection Regulation) took effect on 25 May 2018. Whether your organisation is required to comply with the GDPR or not, we recommend following all of its best practices, including those regarding data breach response.
Even though notification requirements in the Gulf aren’t nearly as strict (in fact, in many places they’re non-existent), it’s a good idea to use the GDPR as a framework. There are two reasons for this.
First, the GDPR has become the global standard for information security. Many organisations mandate suppliers and subsidiaries to meet its requirements to avoid the risk of third-party data breaches.
Second, the only way to address the threat of cyber crime is for organisations to work together. That means disclosing incidents and sharing threats with regulators and other organisations. This helps everybody understand the importance of cyber security and ensures people are investing resources appropriately.
If organisations make it as hard as possible for cyber criminals to steal information, they can guarantee that there will be fewer attacks and fewer armchair crooks that see criminal hacking as a way of making a living.
EU GDPR – EU vs Gulf data protection law
This green paper EU GDPR – EU vs Gulf data protection law gives an overview of the key provisions of the GDPR, and explains how it compares to similar laws in the GCC region, how meeting the Regulation’s requirements will help you comply with domestic laws that relate to data protection, and the critical areas to be aware of when preparing for compliance.
For more advice on how to prepare for security incidents, take a look at our breach readiness questionnaire. We ask you a series of simple questions about your organisation’s setup and provide tailored advice on what you can do to better prepare yourself.