If every cloud has a silver lining, then a data breach is the chance to put in place all the security checkpoints that should have stopped the leak in the first place.

A breach might be an expensive embarrassment but, with good post-crisis assessment and action, further (potentially worse) security problems can be minimised.

‘It is of fundamental importance that lessons are learned from these breaches,’ says Richard Thomas (UK Information Commissioner).

While the damage may already have been done, now is the best time to put in place systems to safeguard against the problem happening again, and also to formulate a plan for dealing with future crises, drawing on lessons learned.

According to the ICO, identifying and dealing with the breach is only the first step in managing the problem – it is also important to ‘evaluate the effectiveness of your response to it’.

If the breach was a result of systemic problems, then simply containing the breach and continuing business as usual is not acceptable, as the same failing will re-emerge.

It’s also critical to any future operation that any bottlenecks and/or procedural issues are sorted out now, so that next time there is a problem, the same mistakes aren’t repeated.

‘If your response was hampered by inadequate policies or a lack of a clear allocation of responsibility, then it is important to review and update these policies and lines of responsibility in the light of experience,’ the ICO says.

Depending on the nature of the breach, any review should include a top-level technical audit and assessment of the breached hardware. The entire logging on and password system may need revamping, and an external security audit to ensure compliance with relevant data retention laws is essential.

Security experts say software that forces staff to change passwords regularly, and using password strength-testing software, reduces the risk of repeat breaches, although it does add to technical support costs when staff forget their passwords.

Procedural policies for questions such as who can access and copy which files, should also be revisited to make sure the system doesn’t make life too easy for would-be data thieves.

Amid the organisational and procedural changes being put into place, IT staff also need to be especially vigilant for repeat attacks.

Hackers might scent a weakness and come calling to see if the company defences are back up and running properly. Even more likely, if the initial data loss was hacker instigated, the perpetrators could have left a back door open to allow them access to the network in the future.

‘They may well install code to let themselves in later, and you might only be able to tell that with technology that monitors what’s happening on the network,’ says Graham Cluley, senior technology consultant at security company Sophos. ‘It could be that there’s code in there that security companies haven’t seen before, so software might not spot the exact code, but you can use behavioural technology to see whether any programs on the network are acting suspiciously. Maybe something has been changed that’s never supposed to change.’

With a new security policy and associated network tools in place, administrators could see a worrying number of incidents, but those alerts are evidence that loopholes are being closed and the new action plan is working.

‘The sign of good security regime is that you have security incidents,’ says Dave Martin of Logica. ‘Absence of incidents show security is poor. If you’re embarking on an improvement process, incidents will go up – I’m often confronted by managers who are worried by the fact that they’ve suddenly got incidents appearing all the time, when they haven’t in the past, but it’s just a sign that things are beginning to work. With no security you see no incidents, but that doesn’t mean they’re not there.’

This advice may seem a little bizarre at this stage of play, but putting in place strong measures for prevention and crisis planning can only be done in advance. Therefore, in the wake of an attack, business leaders should be putting together a data breach continuity plan so that next time there is a problem, the company isn’t starting again from scratch.

The plan should cover details such as those below.

In the wake of the HMRC and other public data debacles, one of the key recommendations given by the UK ICO was that companies make more use of Privacy Impact Assessments (PIAs), which address the data security risks of projects and systems at the design stage.

According to the ICO, a PIA is a ‘consultative process which relies, not only on internal analysis of risks and liabilities from an information assurance perspective, but also on wider privacy concerns raised by stakeholders to whom information is disclosed or from whom it is received’.

The ICO sees greater use of PIAs as a means to ensure that more thought is put into using personal information at an early stage of projects, rather than data protection compliance being considered at the final stages before a project is launched.

The dangers of the current system of ad hoc security architectures is highlighted by the random storage scattered around the average organisation, which makes it impossible to keep track of data assets.

According to Verizon Business, 66% of all breaches involve data that the company did not even know was on their system, so mapping data within an organisation is a necessary precaution. ‘In the modern organisation, data is everywhere and keeping track of it is an extremely complex challenge,’ says the Verizon report. ‘If you don’t know where data is, you certainly can’t protect it.’

Identify weak points in policy, such as where removable storage is used within the network.

A frustrating element in many breaches is that the security policies in place should have prevented them from happening, but the policy is not being implemented by either staff or management.

According to Verizon, in 59% of data breaches, the organisation had security policies and procedures established for the system, but these measures were never implemented.

Software vendors say their tools can ensure that policies are enforced through software controls that staff should not be able to circumvent.

‘Use network access control software to make sure every access is necessary and not a security threat,’ says Cluley, adding that the software needs to be monitored if it is to have any value. Evidence of events leading up to 82% of data breaches was available to the organisation prior to actual compromise, but went unnoticed.

Data leakage prevention and encryption software can also be used to lock down elements of the system, disable USB ports, or impose digital rights management that governs what files specific employees can copy. It is designed to inspect content throughout the enterprise, particularly at the perimeter, and enforce policies to keep private details within the organisation.

‘Lost laptops are the most frequent cause – encrypting the data on the laptop mitigates against that risk – and costs only tens of pounds per laptop,’ says Guy Bunker, chief scientist at security firm, Symantec. ‘It can also be used to encrypt removable media like USB sticks. Getting more sophisticated, software can examine the information in an e-mail. It is then possible to make a decision as to whether it should be sent or not.’

‘Data Loss Prevention software watches for breaches in policy and then prevents them from becoming a problem. This needs to be done for e-mail, instant messaging, Web-based access and “data-in-motion” – as well as finding and protecting “data-at-rest” on file servers, laptops and desktops.’

Implementing policies such as these may be part of settlement deals with regulators. For example, in 2008 Virgin Media was ordered to encrypt data on all portable media after it lost details of 3,000 potential customers.

Nevada law NRS 597.970 is the first US state legislation to mandate a particular security measure – encryption – rather than referring to ‘reasonable security procedures and practices’ to protect data, and others are expected to follow.

If the tools are available, regulators will increasingly expect companies to use them to protect data.