Data breaches require a team response. Many organizations consider themselves prepared for a data breach if their Chief Information Officer (CIO), Chief Technology Officer (CTO), or Chief Security Officer (CSO) feels prepared to handle a cyberattack. Unfortunately, they’re wrong. Preparing your company for a data breach requires the entire executive team’s effort.
Data breaches don't just put your data at risk; they have contractual implications and can directly affect your company's bottom line. That means the Chief Legal Officer (CLO), Chief Financial Officer (CFO), and virtually every other executive have a role in decreasing the likelihood and mitigating the impact of a data breach. Two-part blog series, we'll outline the three steps an executive team should take to prevent and survive a data breach.
Step 1: Listen to the Experts
Most data breach planning fails in the execution, not the planning. The advice of experts -- even the companies' CIO or CSO -- simply isn't supported and embraced. In some cases, the c-suite actively undermines data breach preparation.
For example, the single best way to avoid a data breach is to employ the principle of least privilege, which means limiting access to sensitive data only to those persons who need that access to do their jobs. The fewer people who can legitimately access data, the fewer persons that can accidentally or maliciously breach your data's security.
While, in theory, a CEO or company President should have access to "everything" as the highest-ranking officer of the business, few CEOs need unfettered access to secure servers or databases. Only those technical and security personnel who work with sensitive data need to access it. The full executive team can help ensure the principle of least privilege is enforced by leading through example and denying themselves unnecessary access privileges.
Similarly, social engineering attacks focus on compromising individuals in your organization rather than your software. People are easier to fool than software. The executive suite can decrease social engineering vulnerabilities by funding comprehensive modern security training for all employees and taking those security courses themselves.
Budgeting for good security and leading by example is the first and most important step the executive team can take in preventing data breaches.
Step 2: Be Proactive
Despite doing everything in your power to prevent a data breach, the odds are that, eventually, an appreciable cyberattack will succeed against your organization. A strong executive team has plans in place to respond to a data breach before it happens so you aren't scrambling during a crisis. A smart c-suite has proactively prepared the next steps and a good policy.
Your CIO or CSO likely already has contingencies in place to assess the scope and damage of a cyberattack, identify the technical vulnerabilities that led to it, and close the gaps in your defense perimeter. Your financial and legal teams need to be similarly prepared.
Your legal agreements likely include clauses that stipulate if and how soon customers, partners, and regulators need to be notified in the event of a data breach. Those deadlines, ordered by notification period and penalties for non-compliance, should be ready for use by your technology staff, so they can prioritize which accounts to investigate and secure first.
Similarly, your customer service team should have a communications plan in place before a data breach and should prioritize their outreach based on who is contractually guaranteed to be notified first.
Above all, your finance team should have a clear model of compensation owed to customers and partners in the event of a data breach so that the full fiscal impact can be quickly assessed, and any payouts or service credits can be issued in a timely, contractually mandated fashion.
All of this work should be done before a data breach happens, not in the mad scramble that follows an unexpected cyber assault. Next week, we’ll be back with the final step in preparation: how to write smarter contracts. Can’t wait? Download the full guide here.
Subscribe to the LinkSquares Blog
Stay up to date on best practices for GCs and legal teams, current events, legal tech, and more.