Despite increased sophistication in security systems, organizations are as vulnerable as ever to cybersecurity attacks. If the United Kingdom’s National Health Service can be crippled by a ransomware virus, and the Government of Canada can lose the personal data of 13,000 employees, it’s clear that no organization is immune to data security and privacy threats.
With this in mind, we wanted to know if Canadian leaders understood the risks and whether Canadian organizations were properly prepared to respond to data security and privacy incidents. We spoke to 101 Canadian executives and chief information officers, and the results were alarming.
While leaders generally agree that protecting information is a priority, they are primarily concerned with how a data security and privacy incident will affect business continuity. When asked, few executives stated concern for reputational harm (33 percent), threat of legal action (47 percent), or the loss of stakeholder trust (50 percent).
We also found that leaders may overstate their ability to respond. While many indicated they have a crisis communications plan that addresses cyber risk, 23 percent of companies haven’t tested these plans. And only 30 percent of chief information officers indicate that their organization has identified the necessary expertise to assist with major security incident or data breach (communications counsel, forensics, external legal counsel).
So, what can leaders be doing to ensure their organization is prepared to handle a data security or privacy incident?
Privacy and Data Security Leadership Starts at the Top
Leaders must set the tone about commitment to security and privacy. They should be aware of the risks, and be hands-on in developing mitigation and response plans. Leaders must foster a culture that understanding data security and privacy is a cross-functional commitment, and the responsibility of more than just the I.T department.
Data Security and Privacy is About a Culture of Transparency
Privacy is more than just a policy on a piece of paper. Leadership must foster a culture of transparency about how and why an organization collects, stores, or processes data. And while information technology may have insight into how much information an organization possesses, it’s up to leadership to ensure that all departments across the organization are aware which information exists, how it is being used, and the risks associated with having this data.
Plan for a Breach or Security Incident, and Test Regularly
Having the right response plan with a clear focus is essential to managing reputation in a data security or privacy incident. The plan should be integrated with information technology and legal, and identify key roles, outline communications protocols and triggers, and outline strategies for maintaining trust. To keep plans relevant, organizations must practice their response in a live event or mock simulation and subsequently update plans to perform better in a real incident.
Know How the Legal Requirements Impact Communications
The legal landscape is evolving around the world, and many lawmakers are looking at how and when companies should be mandated to notify impacted parties of a security incident or privacy breach. They are also enforcing that companies must emphasize why they are contacting stakeholders, and provide them with information to protect themselves. This legislation already exists in Canada, for example, and is becoming commonplace around the world, however it becomes more complex if breaches affect several jurisdictions. Given that mandatory communication is becoming a reality in many jurisdictions, it’s important the organizations do not make decisions in a vacuum. Communications and Legal must be at the table together, and legal requirements must be built into any data security and privacy response plan.
Integrate Communications Early and Often
Data security and privacy incidents force strange bedfellows to work together. While each department may have its own responsibilities, they must work hand-in-hand to develop protocols and plans, and have a coordinated response when an incident hits. While legal may focus on compliance, and information technology will address business continuity, communications should be engaged early and often to monitor the incident and counsel the organization on stakeholder communications, managing its reputation and maintaining stakeholder trust throughout the incident. Unless all departments are working together on a coordinated response, a company will not be able to effectively protect its reputation.