Think You Can Avoid A Catastrophic Data Breach?

A sad truth about vendor risk management is that data breaches can—and will—happen to far too many companies. They are an unfortunate side effect of the digital world we live in today. But catastrophic data breaches are another story entirely. Yes, they do happen—and they happen more often than one might hope.

Hear me out: it is nearly impossible to prevent a data breach from happening. But can you reduce your risk? In many cases, you can.

The first and obvious step to remedying this problem is to define what a catastrophic data breach looks like. This might include:

• A loss of sensitive trade secrets or intellectual property.
• A loss of sensitive customer data or information.
• A loss of personally identifiable information (PII) or health care records.
• An operational disruption that would prevent an organization from using its own IT infrastructure or services for a period of time.

It’s important to note that these events do not have to take place inside the walls of your organization to be considered catastrophic. If any of your vendors that have access to critical data or information are breached, the results could be just as disastrous.

Now that we’ve defined what a catastrophic data breach looks like, it’s time to examine the steps you should take to reduce the likelihood that such an event may occur. While this is a very complex topic, there are three high-level elements you should put into place.

1. Establish the right organizational structure.

If you want to have a successful cyber risk management program, you need the right cross organizational teams in place to pay attention to the issues and manage your organizational risk. Cross organizational teams are typically comprised of a number of functions and positions, like legal, HR, business units, procurement, IT security, etc. They work together to identify catastrophic cyber risks and execute a plan across their own individual areas of responsibility. For example, a legal team needs to stay up on emerging laws and requirements that the organization is legally required to meet.

Cross organizational teams are also able to determine which classes of data are critical and would result in a catastrophe if they were compromised. For example, IT may only think that PII and health care records fall into that category, but if every trade secret were compromised, there would likely be a large group of people who would consider that a catastrophe. Cross organizational teams can nail down those requirements so every team has a clear understanding of what is critical.

2. Build policies and strategies to address risk.

Upper management needs to understand the importance of handling cybersecurity strategically by creating policies for both third parties and employees.

One important strategy is the establishment of a company culture that takes cybersecurity very seriously. In a company with such a strategy, every employee would understand that cybersecurity is a major priority—not just for the IT security team, but for everyone. In order to establish this culture of security, every employee should be trained and understand that they shouldn’t be downloading random files, clicking suspicious links, visiting insecure websites, or opening emails from senders they aren’t familiar with.

Legal, HR, and IT should work together to establish policies like acceptable use standards—helping employees understand what they can and cannot do using company equipment. You may want to test employees to see how they respond if they’re sent an email from an outside source with a clickable link. If employees choose to open the email or open the link, the information can be recorded. But it’s not enough to simply note that a handful of employees go against company policy and open the link. Ideally, HR should have a performance metric around this and employees should be held accountable for these actions as a part of their employee review. These strict policies will help establish a culture of security and in the long run may be the difference between a minor and a severe data breach.

3. Implement the right security technology.

The technologies you have in place should be configured to reduce or eliminate all catastrophic incidents. Companies need to take every precaution necessary to reduce the risk of a hacker gaining remote access and should be equally as aware of a potential insider threat.

As we mentioned above, it’s important that every member of your organization monitors themselves and makes decisions that will help and not harm the company. But, it’s not enough to only monitor your organization. Take a look at last month's Experian breach, for example. Experian was storing T-Mobile data and was breached, resulting in the compromise of personally identifiable information for more than 15 million T-Mobile customers. Naturally, T-Mobile is “incredibly angry”—they hired a third party (Experian) to do a job, they fell through, and T-Mobile customers are paying the price.

We have no way of knowing whether T-Mobile had a comprehensive third-party risk management solution in place, but this is certainly a good time to mention how important such a plan is for your organization. This kind of plan should include:

• A security framework questionnaire.
• An on-site assessment, featuring a penetration or security test.
• A thorough review of security documentation.
• Continuous monitoring to verify if a third party’s security posture is how they’ve described it and to alert you to new risks and vulnerabilities in their network.

In Conclusion

Remember this: It is absolutely critical to understand what a catastrophic event looks like and work backward from there. You’ll then be able to identify the most important data, triage the most critical vendors, train your staff and employees to respond correctly, and more. At the end of the day, you may not be able to completely avoid all data breaches—but you may be able to reduce the risk of facing a cataclysmic cybersecurity issue.