Making the most of your (next) data breach
Ian Livingston, former CEO of BT Group, memorably stated: “There are two types of CEO, those that know their systems are being hacked – and those that don’t.”
That was three years ago. While CEOs are undoubtedly more aware of the risks now, how many have employees who still play fast and loose with customers’ personal data? And how many senior managers have full control over their employees’ practices?
Although much may have been invested to protect digital estates, many senior executives are unsure what personal data they retain and where, how well protected it is, who has access to it and – in an age of collaborative commerce, lengthening supply chains, and ecosystem delivery – precisely who is accountable for what.
Some still rely on averages (“It won’t happen on my watch”) and apathy (“Everybody loses a little once in awhile”) to get them through any choppy water, should incidents occur and reach the public domain. But if you rely on crisis communications as your main defense (“We are investigating an incident we can’t comment on now; meanwhile the launch of x has delivered stunning figures…”), then there may be trouble ahead.
With increasing transparency, tougher penalties, ongoing press interest, and the rise of socially-savvy, digitally-literate citizens and consumers, a casual approach to privacy has to change.
Even the best defenses will succumb to attack sometimes. This is as much due to simple human error as it is to the asymmetry of security. The defender needs to protect perfectly on all fronts, while the attacker needs to find just one crack in the armor.
Breaches are inevitable, and many customers understand that data loss happens regardless of how well-prepared a business is. How you act during and after a breach – and how you communicate with your members in the hours and days after discovery – is vital.
Yes, some members will immediately leave in disgust, no matter what you do. But the vast majority of customers are more likely to leave because they feel your organization does not act with integrity.
So how do you reduce the negative impact of any incident and make sure you “don’t waste a crisis,” should one occur?
Redirect executive angst to infrastructure attention…
If you run the department where the incident arose, you have to expect executives to focus on your operation and to be prepared to endure the heat of micro-management for awhile post-breach. This energy should soon be galvanized to address underlying issues you have probably been aware of for awhile, but which have been in the “vital but not urgent” budget category.
Know in advance what to ask for once the immediate crisis is over while decision-makers have intimate awareness of your part of their business. For example, perhaps now is the time to move to the cloud – but have you reviewed the pros and cons from each stakeholder’s perspective?
…and fresh opportunity
Investment shouldn’t stop at just fixing. Privacy confidence stems from the certainty that scrutiny brings.
While there should be due caution about not rushing into another faux pas, a crisis handled well, and an intimate understanding of what data you hold, should give you new opportunities to engage anew with members. So long as they feel charmed and not persecuted by your renewed familiarity with them.
Practice (don’t just document)
Most businesses have well-documented if not oft-rehearsed or realistically-simulated emergency response plans. Practicing, not just writing down, your incident response plan builds organizational “muscle memory.” The best data breach is a staged one. One that reawakens people to the real world impacts that could occur if we mishandle the personal information entrusted to us.
Institutionalizing the right habits is essential. Think how many people have read your fire policy and how many know what to do because the company has rehearsed a fire drill regularly. Then consider how much more likely a data breach is than a fire.
