Containing a System-Wide Cyberbreach Crisis
This article, authored by Jim Satterfield, President and COO of Firestorm Franchising and Jim Squire, CFE, Executive Vice President and CDO for the company, originally appeared on the International Franchise Association’s Blog
When your franchisees opened their doors for business today, you acquired a new risk: cyberbreach.
By Jim Satterfield, CFE and Jim Squire, CFE
A cyberbreach is a business crisis problem, not an IT problem.
- Today, 80 percent of the value of corporate assets has shifted from physical to virtual.
- The chance of a cybersecurity breach to your franchise system increases every day.
- If or when this happens, you will be impacted at many levels: human, operational, reputational and financial.
Accordingly, cyber risk has increased dramatically over the past two decades. Franchisors and franchisees face accelerated, complex, sophisticated cyberattacks resulting in rapidly expanding impacts. A well-known characteristic of a cyberattack is that it can penetrate your franchise’s perimeter data security defenses through multiple technology and human channels, to exploit all layers of your information security. Unfortunately, if a sophisticated attacker targets a franchise system and your franchisees, it will be able to breach the data security in place.
“Cybersecurity has been a hot topic for a while, and the criminals are very smart, which makes our task more difficult,” said Tom Barber, a Money Mailer franchisee.
The generic term “cyberbreach” represents incidents that could negatively impact franchisors and franchisees, with respect to the following:
- All franchise information assets including hardware, network infrastructure, software, electronic and physical data, and human knowledge;
- Communication, storage, and processing of data by any means resulting from franchisor or franchisee actions/obligations; and,
- Unauthorized security events resulting from intentional or unintentional electronic or human actions.
Not all data is equal
The differences drive the type of response, and franchisors must be prepared for all types of cyberbreach incidents. Personal data, including personally identifiable information, protected health information, payment card industry data and intellectual property present rich targets of opportunity that can be accessed in a variety of ways and at multiple levels.
“Consumers are much more aware today of the need to protect their personal health information, and with the government’s push to bundle providers together to reduce cost and improve quality, I think it will continue to be a challenge to control and manage access from web portals, etc.,”
Kathleen Gilmartin, President and CEO of Interim HealthCare.
Every crisis is a human crisis
Your most vulnerable point is your people, not your IT security. This “picnic” exposure (problem in chair, not in computer) is one click away from a crisis. It has taken years to build your brand and reputation. Only 140 characters in a tweet or opening an attachment can destroy it in seconds.
As a result, there are many cyberbreach concerns, including potential:
- Impacts to your brand image,
- Impacts to customer relationships,
- Impacts on the customers’ brand image,
- Media/public reaction and,
- Economic impacts to the organization and its clients, either directly due to complaints or indirectly through loss of brand image or civil action.
Assessing your cyberbreach risk requires a much broader focus than just IT security. In today’s world, any organization with electronic data or network connectivity faces the possibility of a cyber incident. In order to understand the risk, it is essential to understand what valuable assets you hold, and how an attack will impact your organization.
How dependent are you upon networks and systems in order to deliver your products or services? Can you quantify and qualify the data that your franchise system manages and holds? Do any third parties have access to your data or systems? If so, are they contractually responsible should they suffer an incident impacting you and your franchisees?
These and many other questions are crucial first steps in determining the scope of what could go wrong and what the costs might be. After assessing the impact of a cyber incident, franchisors can then focus on IT and non-IT security, education and training, proper governance and controls, and other measures that create a holistic strategy to protect against cyber incidents.
What do you need to do?
Cyberbreach planning must focus on the breach crisis management response process, regardless of timing or what point of failure occurred.
Upon discovery of cyberbreach, the franchisor’s objectives and actions may be in conflict with law enforcement and regulators. For example, law enforcement will want to control the investigation and timing of the notification, potentially creating a delay in notification of clients and meeting your regulatory requirements. These conflicts add complexity to your decision-making process and response.
To have everyone on the same page you need:
- Cyberbreach Awareness Indicators Matrix: A Cyberbreach Awareness Indicators Matrix provides franchisor and franchisees with a tool to identify events which may indicate that a cyberbreach has occurred.
- Cyberbreach Response Activation Matrix: A detailed Cyberbreach Response Activation Matrix identifies the considerations and triggers needed for leadership decisions, response, and communications.
- Cyberbreach Response Plan: The Cyberbreach Response Plan establishes the notification, containment, response, and recovery requirements for a cyberbreach incident.
This plan must include:
- Team members identified with two alternates for each.
- Role and responsibilities.
- Checklist actions to be taken at each of the five phases of activation: pre-action, onset, impact assessment, response and recovery, and post-event.
- Cyberbreach Awareness Indicators and Activation Matrices.
- Incident tracking forms.
- Cyberbreach Crisis Communications Plan with message maps.
A comprehensive enterprise Cyberbreach Crisis Communication Plan addresses internal and external communication during any cyberbreach incident. This ensures that the franchisor retains control of the narrative in any situation and will not be forced into a potentially damaging response mode.
The plan’s documents protocols, tailored to coordination, crisis and compliance, guides prompt sharing of information with all stakeholders during a cyberbreach incident, as required.
Coordination: Internal communications to direct coordination activities regarding cyberbreach response
Crisis: Communications to address the potential crisis impacts on brand and reputation.
Compliance: Communications responsibilities related to compliance notification to those parties who are impacted (or potentially impacted) by a cyberbreach. These communications serve the dual purposes of notification and remedy actions to mitigate or prevent potential impacts.
Educating franchisees on data handling and protection
Awareness begins from the top of a franchisor’s organization. Executive leaders need to personally understand current threats and appropriate user behaviors in order to more effectively motivate franchisees to maintain their own awareness. Franchisees tend to respond to engaging and dynamic awareness education that communicates how heightened awareness helps protect individuals’ confidential data, as well as corporate data.
Like learning any skill, repetition is the key, but franchisors risk franchisees tuning out the message if education is done poorly. A demonstrated commitment at the top levels of the franchisor will aid in the success of your educational efforts. In addition, education around the costs of failing to handle data appropriately will also be helpful.
Similar to many other events that threaten a franchisor’s reputation, successful prevention measures are ingrained in a franchise’s culture. When everyone at every level of the franchise system can understand the harm associated with deviating from preventative measure, and feel empowered to protect the brand from a cyber event, education and training transitions from another corporate requirement to the backbone of the organization.
Living and demonstrating the prevention measures through every level of the system by way of example helps to instill those behaviors. Like all other elements of corporate culture, actions are more powerful than words.
One last thought
Waiting is not an option. This threat will not go away.