Today’s guest post is from Torey Guingrich, a Project Manager at Source One Management Services, LLC who specializes in helping global companies drive greater value from their IT and Telecommunications investments.
In our last post, we indicated that no industry or company can escape the potential of a data breach, including yours. Given that large retailers, health insurance companies, financial services firms, and the U.S. federal government have had to deal with reporting and responding to large-scale data breaches in the last few years, it’s becoming more and more of a certainty that if your organization is of a significant size and has a fair amount of valuable (or secret) data, at some point it will be desirable enough for a third party to try and obtain it illegally through a hack or systems breach. And bolstering prevention alone might not be enough, any weakness at all in any system used by your organization, or a supplier, could be enough to let a black-hat in. Thus, the best preparation, and prevention, is often that which assumes a breach will occur and has plans, and relationships (as per our last post), to identify, patch, and deal with the breach as fast as possible. A quick response can be the difference between a breach that is only able to capture a few dozen credit card numbers at one point of sale and a breach that continues to infiltrate the system until thousands of credit card numbers across dozens of points of sale are compromised.
In order to insure a quick identification and response to a data breach, along with choosing partners to work with for a breach, the key to quick action is to have the internal processes and systems in place to respond accordingly. As part of preparation, companies are beginning to define data breach response teams to develop response plans and define clear roles for the key departments that would need to spring into action. Typical roles/areas that companies would need to include are:
Companies look to their IT departments to immediately identify and rectify the point of entry for any breach. IT will need to work with forensic IT partners to get as much information as possible in terms of scope and scale of the breach, as well as ensure systems are up and running to keep regular operations functional.
The Communications team needs to take a lead role in responding to a breach and developing key materials (e.g. for the call centre scripts, press releases) within a data breach response plan. Appoint a role or individual as the spokesperson for the company and ensure that all employees, and even BOD members, know to reference back to this person when contacted regarding a breach.
The call centres are one of the first areas that are overloaded when a breach occurs. Work with Communications to prepare scripts and materials to provide to the call centre (both in-house and outsourced) to ensure a consistent message and avoid unwanted confusion. Your Operations team also needs to ensure that internal operations are adjusted as necessary and continue to run given that a breach has occurred.
Your Legal department (and likely outside counsel) will need to look at the compliance and regulatory implications of a breach. Depending on what industry your company is in, data breaches can carry hefty fines. To report a breach accurately, key individuals will need to work with IT to understand scope and scale and report to the necessary governing bodies. As this landscape evolves, ensure that the Legal department is aware of any new regulation that your industry may become subject to, e.g., proposed cybersecurity regulations for banks and insurers. The Legal team will likely need to engage with law enforcement, either local or federal, and manage the company’s duties along with direction received from law enforcement.
A supplier may in fact be the point of entry for a breach in your system, as has been the case with many of the breaches in recent years. It is important to understand that your customers will still be looking to your company to respond and correct that breach. Because you will need to work with your suppliers to correct and adjust operations as necessary, Procurement should consider including language in contracts or RFXs that obligates suppliers to comply with your response plan in the event of a breach.
Within each of these groups, it is vital to have individuals within the response team that can make decisions. Typical delegation and “chain of command” decision making will only delay the process and response that your company is able to provide. Executives and team members also need to understand that they may need to make decisions with incomplete information; this can be difficult for organizations who are accustomed to making decisions only when all variables are identified. Due to the scrutiny and reputational risk at stake, it should be made clear to customers that decisions are being made given the information available at the time.
Procurement will need to support supplier selection, contracting, engagement, and performance management of all necessary outsourced response services. Procurement will be managing different priorities and requirements from various stakeholders involved in a breach, i.e. all of the departments above, and will be expected to act as a cornerstone in ensuring that different requirements are met and balanced when and where they need to be.
As indicated at the start of this post, in today’s atmosphere, the possibility of a breach cannot be ignored and relying too heavily on breach prevention without a focus on response preparation can be a costly mistake. To avoid this, make sure your organization has a validated response plan and key materials primed in advance of a breach to be able to promptly respond to customers and return to normal operations as quickly as possible. Given the department’s experience in supporting process improvement and collaboration, Procurement is in a unique position to champion a proactive approach to response planning by bringing together stakeholders and identifying strategic partners that can enable the entire organization to respond to the dreaded data breach.