Andrew Storms at nCircle has a very special offer for you: the 5 steps to accepting a data breach. It includes important steps such as preparing your press statements:
Step 4. Develop a security failure crisis communications strategy now. Those silly IT incident plans include pages of technical jargon, why not have the PR team develop their own nonsensical apologetic statements ahead of time? While you are at it, offer a prepaid bonus to a lower level employee for taking the fall when that security incident happens. When the time comes, make sure news cameras tape them walking out of the office with a box of personal possessions and their head covered with a jacket.
Andrew makes it sound funny, but there is some important advice in his post. If you handle private data, chances are it will eventually end up where it shouldn’t be. If your work for a call center, the phone system will crash. If you do programming, your revision control system might randomly corrupt data. I could go on, but I think the point is clear. Sooner or later, a disaster will happen.
That doesn’t mean you should spend your time trying to plan for every possible (sometimes miserable) failure. Your plans will always lag behind the actual situation, and that one disaster that actually happens won’t be in your plan anyway. In fact, your plan might be on a crashed server, or unreadable because the drawer it’s in is was flooded. But the process of working on a disaster recovery plan can be really helpful by itself, regardless of the actual plan that it results in. Here are some tips that might help you get started:
- Define what’s important for your organization. This might be your production facility, your online store, your central database, or the company mascot. Defining this might not be as easy as it sounds, and every part of your organization will have something to add to this list.
- Define how much it will cost if it is lost. Does it sound obvious? It is, but it will help you decide how much to spend on protecting it.
- Estimate the cost of unavailability and/or disclosure. If you operate a call center, how many customers will you lose after being unreachable for an hour? A day? A month? If you handle private data, what fines can you expect when it is exposed to a third party? How much will you have to spend on marketing to restore your image?
- Think about how to manage a crisis beforehand. Who will handle phone calls from the press? Will you wait for them to contact you, or is it better to have your list of press contacts ready so you can decide how and when to announce problems? Who will coordinate the efforts to combat whatever disaster strikes you? This will save you a lot of time when the inevitable happens.
- Don’t put all your eggs in one basket. Again, this might sound obvious; but try to find out how many single points of failure you have. Do you have a single, centralized production facility? What happens if there’s an earthquake or flood? Do all your servers rely on a single, centralized storage system? If so, do you make external backups of that system, or do you rely on snapshots on that same storage system?