Many organizations consider themselves prepared for a data breach when and if their Chief Information Security Officer (CISO) feels they’re ready to handle a cyberattack. These organizations are wrong.
Sure, a CISO doesn’t make decisions in a vacuum, other C-level types like the Chief Technology and Chief Information officers are instrumental. But preparing your company for a breach - both by preventing data loss and being ready to respond to an actual event - requires the efforts of the entire executive team.
The reason? Breaches don't just put data at risk, they have contractual implications that can directly affect the bottom line. That means the Chief Legal Officer (CLO), Chief Financial Officer (CFO) and virtually every other member of the executive team has a role to play in decreasing that likelihood and mitigating the impact.
The following outlines three steps the C-suite and other executive team members should take to prevent and survive a data breach. But first, it’s imperative all involved heed this initial piece of advice when planning cybersecurity; treat breaches not as a possibility, but as something that is going to happen.
Listen and lead
Where most data breach planning fails is in execution. Often, the advice of experts - including a company's own CISO - isn't supported by the larger executive team. In fact, sometimes the C-suite can actually undermine strategy.
For example, the best way to avoid a breach is to employ the principle of least privilege - that means limiting access to sensitive data only to those who need it to do their jobs. It’s common sense; the fewer people with that kind of access, the less likely it is that someone would accidentally or maliciously breach your data's security.
While, in theory, a CEO or company President should have access to "everything," few really need unfettered access to secure servers or databases. Only technical and security personnel who actually work with sensitive data need do. So, an executive team can help ensure the principle of least privilege by leading through example and forgoing such unnecessary access.
Similarly, social engineering attacks focus on compromising individuals rather than software; people are easier to fool and mistakes happen. The executive suite can tamp down on social engineering vulnerabilities by budgeting for, and truly getting behind, security training for all employees. And again, every member of the team should lead by example and take the courses, too.
Ready and able
A smart C-suite has plans in place to respond to a data breach before it happens. If you’re scrambling during a crisis to determine next steps and policies, the delays can cost you in a number of ways, whether it’s by allowing bad actors more time to inflict damage or delaying reparative action on your end.
Financial and legal teams should be similarly prepared. Customer and partner agreements likely include clauses that stipulate if and how soon they need to be notified in the event of a breach. Those deadlines, ordered by notification period, penalties for non-compliance, and/or termination rights, should be ready for use so tech staff can prioritize which accounts to handle first. Further, customer service teams should have a communications plan in place and prioritize outreach.
Equally important, your finance team should have a clear model of compensation owed to customers and partners in the result of a breach. By doing so, the full fiscal impact can be quickly gauged and any payouts or service credits can be issued in a timely, contractually mandated fashion.
All this work should be done before a data breach happens, so customers will be more likely to stick around after.
You can mitigate risk by writing contracts with future data breaches in mind. Technology and legal teams should work together to update agreements and ensure each of the following clauses is addressed:
- Governing law: Standards like the EU's General Data Protection Regulation (GDPR) may set privacy expectations of customers and partners, but you should still stipulate the governing law and the jurisdiction that would rule on contractual obligations.
- Data access: The "data conduct" of partners and service providers can impact liability, too. Spell out who has access to what and materials that must be returned, purged or maintained if the relationship ends. This prevents data from "lying around" and presenting a risk after it is no longer of use.
- Reasonable notification: While every stakeholder wants immediate notification following a breach, every CISO knows it takes time to assess the scope. Explicitly spell out the process in the form of a Incident Response Plan so that there’s a playbook to reference during the event to limit chaos and have clear thinking. Review the Incident Response Plan with the employees that would be responsible. Firefighters practice the procedure of preparing and then leaving the station before a fire happens, and this follows the same reasoning.
- Reasonable compensation: Many customers and partners will insist on some form of compensation in the event of a data breach. Setting maximums prior can limit the financial damage and eliminate having to negotiate after the fact.
- Limit legal grounds: Breaches are common, so they are not always reasonable grounds for compensation or termination of an agreement. Establish a minimum scope for liability. A hacker breaching a firewall and crashing a marketing website should not result in payouts to all customers.
While security software can prevent and track the scope of a data breach, contract automation can assess and minimize exposure that agreements pose. Priority lists for IT, customer service and finance teams are also easier to create and update if you have a contract analysis approach that can identify relevant agreements and applicable clauses in real time. Contracts that minimize liability are also easier to create, update and execute via tools that show deficiencies, vulnerabilities and tracks which agreements should be revisited.
Further, the latest technologies include artificial intelligence, which enables entire contract repositories to be parsed, analyzed and categorized at the speed and scale of software. This helps size up risks, prioritize response, while offering tools to update a contract portfolio so future financial impact is minimized.
If you're going to invest in executive time to plan your incident response to a data breach, consider the combined power of the legal resources teaming up with infosec executives to handle the contractual elements of data loss and data exposure. It does take the full executive suite to ensure success – but the right approach can help bring every strategy together for better results.