What happens in the event of a cyberattack?

15 Apr

Who is responsible for a company's data security?

Cybersecurity is a top concern for every business. With multiple high-profile data breaches that cost businesses millions of dollars and seriously damaged their reputations in recent years, it's increasingly apparent that one area companies can't afford to neglect is IT security. 

But what happens if a company does indeed experience a breach? Even if all the necessary security measures are in place, every business needs to be ready for the worst. 

Who takes responsibility? 
It's an age-old question: Is HR or IT responsible for cybersecurity? In some cases one department wants control of this task and the other doesn't, making it easy to determine who blame should fall on if anything goes wrong. But all too frequently, it's difficult for leaders within these areas to decide which should take the lead. 

IT seems like an obvious choice to lead data protection initiatives – after all, cybersecurity certainly seems to fall under the information technology umbrella. And while IT professionals may be able to advise and contribute to the discussions about mitigating breaches, they aren't the only ones who have a horse in the race.

Unlikely as it seems, human resource solutions should play a major role in the cybersecurity process. In an interview with the Society for Human Resource Management, Philip L. Gordon, a shareholder in the Denver office of Littler and co-chair of the firm's Privacy and Data Protection Practice Group, claims that lost or stolen devices are one of the most common causes of data breaches. He says that training employees to report a missing device immediately is critical, and this could be one of the onboarding sessions HR completes with new workers. 

Similarly, he recommends HR have a stringent office security policy, and make sure reception workers don't allow any unauthorized individuals to walk through the workspace without supervision. 

If the IT department refuses to take the lead on data protection, the HR department may opt to create a new position like " Chief Security Officer" or something similar. This person would need to have a firm grasp on legal compliance and a strong understanding of the technical aspects that cybersecurity calls for. 

What if IT doesn't step up?
To keep from encountering any confusion over who's responsible for what when it comes to security incidents and protection, it's vital to have a plan in place before anything happens. 

While HR may be responsible for training employees on how to mitigate security risks and working with employees if one does happen, IT will be responsible for certain things given its more technical expertise. The department should be aware that if a hack does happen, it is responsible for taking machines offline, preserving evidence of the breach and working with forensics to determine what data has been compromised and how to delete any malware or hacker tools.

Experian's Data Breach Response Guide details what steps need to be taken within the first day after a breach occurs. Every organization should have a point person to go to for each item on the list, whether it's someone in the IT or HR department. The steps include recording when the breach was discovered and when someone acted on it, alerting the appropriate parties, making sure additional data loss doesn't occur and starting an investigation.

What must a company provide after a breach?
No business plans on getting hacked, but in the event it does, higher-ups need to know what documentation they be required to provide.

The Federal Trade Commission's 2014 Privacy and Data Security Update details when companies in certain industries are required to inform consumers of data breaches. The Experian report also shows how multiple states are considering more thorough notification laws that would require businesses to provide even more information about the data breaches they experienced, including what personal information was accessed, when the breach occurred, what happened and sometimes even if the notification was delayed because of a law enforcement investigation.

After a security incident, documentation at every single stage of the process is key. Professionals responsible for investigating the breach should have notes relating to each person they spoke to about the issue, how long it took them to get the authorities involved, what information was accessed and so on. They should also note not just what they did and when, but why they took those steps.

Businesses have to act now
Even if a business thinks its data is secure, chances are it can be compromised at some point. The Experian report says that in 2012 alone, 267 million records were exposed thanks to cybersecurity incidents. 

With such great repercussions, companies have to be know how to mitigate the risk of an incident and how to proceed if one does happen. By combining the duties for HR and IT, no one department has to bear the entire burden and each department can specialize in its own area.

Comments are closed.