To see how a data security incident can quickly go from bad to worse, look no further than the recent MeridianLink attack. On November 7, the ransomware group BlackCat (also known as AlphV) informed MeridianLink that it had stolen unencrypted data from the company and would leak it if their ransom went unpaid.

When MeridianLink did not respond, BlackCat upped the ante by threatening to release the data and, in an unprecedented move, reported the breach to the Securities and Exchange Commission (SEC). It’s worth noting that the SEC’s requirement that companies report material cybersecurity events within four business days of the incident had not yet taken effect (that became effective on December 18). Nonetheless, the hackers reporting their breach was a bold move, and certainly added an unusual wrinkle.

This incident is a clear reminder that taking proactive steps and embracing transparency is critical to mitigating the impact of a data breach. Let’s look at how companies can prevent such incidents from becoming a regulatory and reputational nightmare.

Prepare for the Worst and Respond Quickly

Addressing and preparing for data breaches should be a top business continuity and disaster recovery (BCDR) priority for any company, especially those in regulated industries like financial services and healthcare. According to IBM, the average data breach cost is now $4.45 million, a 15% increase over the last three years. That is undoubtedly a number that should catch the attention of any corporate decision-maker. So what should companies do?

Back Up Data Regularly
Before an attack occurs, a robust data backup plan should be in place. If compromised data is encrypted and unusable to attackers, the backup data can help restore normality in relatively short order. Companies should regularly conduct restoration tests to ensure the process is as smooth as possible when an attack occurs.

Respond to an Attack Quickly
As soon as you become aware of an attack, mobilize your incident response team and take immediate action to gather all the pertinent information and notify all applicable agencies, along with affected consumers and stakeholders. Promptly notifying impacted parties is not only the law but also a commitment to accountability. Time is of the essence, and the BCDR plan should start with a checklist for communication and roles/responsibilities that commence as soon as an attack is detected to identify where it occurred and mitigate further damage.

Contact all Appropriate Regulatory Agencies
As evidenced in the MeridianLink breach, reporting breaches to regulatory agencies, which are becoming more stringent and punitive, is necessary. The SEC, Federal Trade Commission (FTC) and the U.S. Department of Health and Human Services (HHS) are making it very clear that they have little to no tolerance for organizations that try to hide a breach. While the U.S. does not have an overarching data privacy law, all 50 states have varying regulations that address breach notification.

Double Down on Encryption
Data has transitioned from a static entity in an on-premises database to a valuable, fluid asset that can live in multiple locations. As data usage grows more complex, proactive companies are making extra efforts to protect data via defense-in-depth strategies, which layer numerous security measures to create overlapping barriers. A mission-critical protection method is data encryption.

Encryption Renders Data Useless to Attackers
Solely securing a perimeter is no longer an option, especially in the age of rampant data breaches. Companies need to have a series of safeguards to lower the risk of an attack, but if an attack should happen, encryption serves as a proven line of defense to neutralize the damage. How effective is encryption? Cybercriminals themselves use it.
However, in the case of a data breach or accidental exposure, encryption will prevent data values from being exposed in cleartext. In doing so, this prevents any possibility of a hacker leaking this data because only those with access to encryption keys can see it.

BYOK Adds Further Protection
As an added layer of security, many cloud providers now offer users Bring Your Own Key (BYOK) services, which allow organizations to manage their encryption keys. Not even cloud database administrators can access these keys, so the chances of attackers gaining access to them are zero. When organizations include encryption with other security measures in defense-in-depth strategies, they significantly reduce the risk of falling victim to a data breach.
Data breaches are growing more prevalent and sophisticated, and companies must make every effort to minimize the impact of an attack. Attempting to mitigate the damage flat-footed — and even worse, responding without transparency — is a recipe for a financial and could bring a company’s ethics into question. Employing best-in-class preparation and defense tactics, like encryption, will position companies to show their customers and regulators that they take threats seriously and will do everything they can to protect them.