The chief security officer apologizes for waking you but she is clearly agitated. She has just been woken herself by the security consultants you called in to carry out a data audit. The team pulled a late shift last night and discovered some anomalies in the main customer database. The CSO is doing a poor job of covering her panic as she stumbles out with: “It might be nothing”. But you both know that you wouldn’t be having this conversation now if that’s what she really felt.

Despite the security breach at HM Revenue and Customs (HMRC) in November last year, it seems that many companies are still failing to heed the lessons learned from the incident. The Information Commissioner’s Office (ICO) has been notified of almost 100 data breaches by public, private and third sector organisations since HMRC. “Data is the lifeblood of many organizations but it is not often looked after very well,” says CIO Peter Birley of law firm Browne Jacobsen on his personal CIO Blog. Recent high-profile breaches include the loss of the personal details of around 5000 prison officers in September this year and allegations of a significant data loss at US hotel chain Best Western.

While the organization itself claims it only affected a handful of customers, what ever the real number, Best Western has suffered damage to its brand as a result. And this is damage that other firms could well face if they don’t take the necessary preventative steps to secure data and react in the right way if the event of a breach.

Firstly, don’t panic. “People immediately start to think the world is about to end – all kinds of scenarios are played out in people’s minds. These thoughts are crippling and will get worse the longer they fester, so ditch them and get on with the job. The reality is a professional and energetic approach will do more to protect you than hiding in a corner,” says Peter Chada, director of the Technology Advisory Service for financial services specialist BDO Stoy Hayward.

In the first hour after a security breach it is vital to make an assessment of the damage the data could cause, experts say. For example, that means thinking about who would be interested in that data and what effect it might have on not just the individuals concerned but also other effects. For example, in the recent incident at the Prison Service, the safety of prison officers’ families who may have been targeted if the data fell into the hands of criminals.