There were plenty of lessons to be learned and best practices to take away from the dynamic panel discussion on cyber security held at the Westin Waltham on March 26. Grant Thornton’s New England Office hosted the breakfast event, titled: “How to Prevent, Detect and Deal with Cyber Security Breaches.” Grant Thornton’s Kevin Morgan (Principal, Advisory Services) acted as moderator and Johnny Lee (Managing Director, Forensic and Valuation Services) was one of the three panelists. Joining Grant Thornton on stage were panelists Doug Meal (Partner, Ropes and Gray) and Ashley McCown (Solomon McCown President and Crisis Communications Expert).


For those who couldn’t make it, here are 5 top takeaways:

1. Practice makes perfect


The panelists were unanimous in what they first ask an organization that wants to protect itself from or effectively manage a data breach: “Do you have a plan?” Despite the rise in the number of breaches, 27 percent of companies still don’t have a plan or team in place.


Doug insisted the priority is getting the right team in place and giving them the flexibility they need to work best. Buy-in from the CEO or Board of Directors is also crucial. 


Ashley reiterated that testing that plan is vital, and that members of a crisis team shouldn’t be meeting for the first time during an incident. She added that a smart way to rehearse is to run simulated “table top” exercises, which can be crucial to exposing weaknesses in the chain of crisis command.


Having redundancies on the team as well as consistent execution of the plan are all crucial to make sure it works.


2. Outside Counsel should lead the data breach investigation, not the in-house Information Systems or Information Technology leader(s).


When a data breach is discovered, the heat is on the I.T. and or I.S. department(s). Without buy-in beforehand, they may be apt to go off and conduct their own investigation. That merely underscores why everyone in the organization must be on the same page before a crisis or breach hits.


Having outside counsel lead the investigation allows them to scrutinize and approve all communications as well as any technical remediation in the wake of a suspected breach. Finally, having the attorney in charge provides greater protection from what information may or may not be admissible in a potential lawsuit.



3. Stay on Message


Everyone from the front desk person up to the C-suite must be armed with the same talking points so that internal and external audiences such as employees, customers, strategic partners, the media and the public aren’t receiving mixed messages.

Self-proclaimed “reformed Attorney” Johnny Lee reiterated the importance of legal counsel blessing communications drafted anywhere in the continuum of a data breach.


4. Tackling the Culture of Blame


It was clear from audience questions that there is a culture of blame in many organizations where the C-suite wants the I.S. or I.T. leader’s head if a data breach occurs. This contrasts sharply with work settings where the C-suite rallies around their digital leaders in a time of crisis.


The panel suggested a couple of ways to shift this culture of blame:


  • Hire outside experts who have no problem delivering the truth (the facts) to a boss who may need to hear it from another source.
  • For those in-house naysayers only interested in the bottom line: Explain how insurance coverage rates can drop with top-notch cyber security detection and response systems, a crisis plan and training in place. This doesn’t factor in the millions of dollars that could be spent settling lawsuits that might not have been filed with a prober cyber security plan in place.


5. Don’t always believe what you hear


Doug Meal told the story of sitting in a boardroom, listening to an executive describe what occurred in a recent, notorious data breach. The presenter wrapped up by telling his board that would never happen to this organization. Only Doug knew from working personally on the breach in question that that wasn’t, in fact, what had happened at all.


As a result, he warned those in the audience to not always believe what they read in the media about data breaches because it may actually give readers a false sense of security.


The fact is, the vast majority of data breaches are not self-detected. And malware lives an average of six months in a host system without being noticed. So, while there might be no shame in being the victim of a cyber-attack, there is no excuse for not being prepared.