Picture the scene: You\u2019re the CIO of a major Southeast Asian financial institution. You arrive at work on a Monday morning and the first thing you do is take a call from you CISO.\n\u201cWe\u2019ve been breached.\u201d They tell you. \u201cWhat do we do?\u201d\nOn average, data breaches in Southeast Asia cost 156 SGD ($113) per compromised record, with organisational costs totalling around 3.18 million SGD ($2,310,715).\nThere are a number of different factors that can mitigate some of these costs \u2013 industry variations, third party involvement, stolen credentials etc. \u2013 however, time and again early identification and containment has been proven key to keeping the financial impact to a minimum.\nUnfortunately, it routinely takes around 184 days for companies operating in the ASEAN region to detect that an incident has occurred and a further average of 65 days to contain the incident, escalating costs and significantly damaging the reputation of organisations amongst their customers.\nSat in your office, you hang up the phone. What are you going to do?\nBelow is a short list, outlining some of the key steps a CIO should undertake when responding to a data breach, and some they definitely shouldn\u2019t.\nStep 1: Organise\nWhen you discover your organisation has been breached, there\u2019s a \u2018golden hour\u2019 in which you need to act.\nThe first thing to do is assemble your incident response team, which is often led by the CIO due to their links to top level management and overall responsibility for IT strategy.\nAmong board level executives, there is often the misconception that cybersecurity is exclusively an IT problem.\nThis is not the case and your response team needs to contain representatives from all areas of the business, not forgetting legal advisers and individuals to manage both customer and media communications.\nStep 2: Contain\nWhat caused the breach? How did the criminals gain access? Have credentials been stolen or is this the result of third-party vulnerabilities? What have they stolen?\nUnless you know what caused the initial breach, you can\u2019t contain it and if you can\u2019t contain it, you can\u2019t mitigate the financial costs and reputational damage to your organisation.\nWhen WannaCry hit UK hospitals in 2017, the reason so many computers became infected was because they hadn\u2019t been patched properly \u2013 despite warnings about the EternalBlue vulnerability being disclosed earlier in the year.\nDeploying patches, resetting passwords and disconnecting any infecting machines from the corporate network are all immediate steps you can action to stop the damage from escalating.\nMore long-term containment measures such as recalling and deleting information should be kick started at this point, too.\nStep 3: Evaluate\nIt\u2019s important you work out exactly what has been stolen in the breach and who is going to be impacted the most as a result.\nIn the majority of high-profile cases, cyber criminals make off with the personal information of customers; anything from medical data to credit card numbers and contact information.\nSometimes, the hackers will use this information nefariously themselves however, it\u2019s more common that the stolen data makes its way onto the dark web to be sold to the highest bidder.\nIt\u2019s also important to think about how the stolen data could be used against the victims of the breach.\nThe Equifax breach was so shocking, not only because it affected 146.6 million people, but because the data stolen included social security numbers, passports, driving licenses and taxpayer IDs, meaning people were at risk of having their identities stolen.\nStep 4: Notify\nPre-GDPR, more than half of CEOs had reportedly not been told about the worst breach suffered by their company.\nIn today\u2019s age of compliance, notifying the right people that you have suffered a data breach is vital. Although Singapore is in talks to introduce a mandatory data breach notification regime in the next few years, currently there is no obligation for companies in Southeast Asia to report a breach.\nHowever, if the data stolen relates to individuals living inside the European Union, you have 72 hours to inform the Information Commissioner\u2019s Office.\nYou should also inform any customers that have been impacted by the group. A data breach is always going to negatively affect a company\u2019s reputation but if you are transparent with your customers and provide them all necessary information at the earliest possible date, it might win you some serious plus points in the future.\nFurthermore, if it looks like your breach has a specific target, like the Prime Minister of Singapore who had his medical data stolen last month, you need to inform that individual immediately.\nFinally, if any third parties have been involved in the breach, you should also inform them.\nThey might not yet know they\u2019ve been affected and will also need to implement their security strategy in order to mitigate the damage.\nStep 5: Futureproof\nYour assembled team has managed to contain the breach and limit any further damage against your company; the relevant parties have been informed and your communications team is putting out a statement to help deal with the reputational fallout.\nIn the coming days and weeks, it\u2019s important to go back over your security strategy and look at what went wrong and what you need to be doing differently in the future \u2013 especially if this not the first time your company has suffered such a breach.\nIf you don\u2019t already have a CISO in your C-Suite team, hire one. Additionally, ensure all your employees have had sufficient security training and are aware of and comply to your company-wide security strategy.\nFinally, once you have a new strategy in place, use an external Penetration Testing company to help you evaluate just how effective your new security approach actually is.\nIt\u2019s far better for any remaining vulnerabilities to be picked up by White Hats than for you to only find out about them when you suffer another preventable data breach.\nWhat shouldn\u2019t you do?\nResponding to a data breach is always going to be stressful. However, there are a few things you should avoid doing once you\u2019ve realised there\u2019s been a breach to help take some of the headache out of the process.\nThe most common hurdle that organisations fall at is \u2018notify\u2019. Disclose a breach too soon and you might not yet have all the information necessary to provide your customers with the answers they\u2019re looking for.\nLeave it too long to tell them, you look like you\u2019re trying to stage a cover up and will almost certainly lose the respect and trust of your customers.\nIt\u2019s also important you don\u2019t try and improvise your response.\nIf you don\u2019t stick to your plan, important steps might get missed and you could ultimately end up making the situation worse.\nIf you don\u2019t have a strategy in place, it\u2019s important you try not to panic as off the cuff decision are rarely helpful. Never be too proud to ask for help if you need it.\nEquifax pretty much wrote the \u2018what not to do\u2019 playbook back in 2017. From the very start it was a shambles, with executives being accused of selling off shares before the breach was even made public.\nThere was also no clear message given to those affected, customer support workers weren\u2019t supplied with enough relevant information to help those in need and there appeared to be a communications blackout from the company.\nAs a result, cyber criminals were able to take advantage of the disorder, setting up a fake phishing website to trick concerned customers looking for answers.\nDisclosing a data breach is never going to be easy and as today\u2019s threat landscape continues to evolve it\u2019s likely to be a case of \u2018when\u2019 not \u2018if\u2019 you experience an attack.\nHowever, with a strong team, a strategic plan of action and an understanding of the steps you need to take, your CIO is best placed to respond to a data breach and help create the policies that prevent them from happening again.