Five Takeaways from Grant Thornton’s Cyber Security Panel
March 27, 2015
March 27, 2015
For those who couldn’t make it, here are 5 top takeaways:
The panelists were unanimous in what they first ask an organization that wants to protect itself from or effectively manage a data breach: “Do you have a plan?” Despite the rise in the number of breaches, 27 percent of companies still don’t have a plan or team in place.
Doug insisted the priority is getting the right team in place and giving them the flexibility they need to work best. Buy-in from the CEO or Board of Directors is also crucial.
Ashley reiterated that testing that plan is vital, and that members of a crisis team shouldn’t be meeting for the first time during an incident. She added that a smart way to rehearse is to run simulated “table top” exercises, which can be crucial to exposing weaknesses in the chain of crisis command.
Having redundancies on the team as well as consistent execution of the plan are all crucial to make sure it works.
2. Outside Counsel should lead the data breach investigation, not the in-house Information Systems or Information Technology leader(s).
When a data breach is discovered, the heat is on the I.T. and or I.S. department(s). Without buy-in beforehand, they may be apt to go off and conduct their own investigation. That merely underscores why everyone in the organization must be on the same page before a crisis or breach hits.
Having outside counsel lead the investigation allows them to scrutinize and approve all communications as well as any technical remediation in the wake of a suspected breach. Finally, having the attorney in charge provides greater protection from what information may or may not be admissible in a potential lawsuit.
3. Stay on Message
Everyone from the front desk person up to the C-suite must be armed with the same talking points so that internal and external audiences such as employees, customers, strategic partners, the media and the public aren’t receiving mixed messages.
Self-proclaimed “reformed Attorney” Johnny Lee reiterated the importance of legal counsel blessing communications drafted anywhere in the continuum of a data breach.
4. Tackling the Culture of Blame
It was clear from audience questions that there is a culture of blame in many organizations where the C-suite wants the I.S. or I.T. leader’s head if a data breach occurs. This contrasts sharply with work settings where the C-suite rallies around their digital leaders in a time of crisis.
The panel suggested a couple of ways to shift this culture of blame:
5. Don’t always believe what you hear
Doug Meal told the story of sitting in a boardroom, listening to an executive describe what occurred in a recent, notorious data breach. The presenter wrapped up by telling his board that would never happen to this organization. Only Doug knew from working personally on the breach in question that that wasn’t, in fact, what had happened at all.
As a result, he warned those in the audience to not always believe what they read in the media about data breaches because it may actually give readers a false sense of security.
The fact is, the vast majority of data breaches are not self-detected. And malware lives an average of six months in a host system without being noticed. So, while there might be no shame in being the victim of a cyber-attack, there is no excuse for not being prepared.