What to do when company data is breached.

On May 23, 2017, the MIT Sloan School of Management hosted the 14th annual CIO Symposium: “The CIO Adventure: Now, Next and… Beyond.” The one-day event brought senior IT executives together to discuss key technologies, including IoT, AI, blockchain, Big Data, DevOps, cloud computing, and cybersecurity. The main idea was to help prepare these tech leaders for challenges they face, including shepherding ongoing digital transformations, building a digital organization, and managing IT talent.

This series highlights insightful sessions from the event.

In an era where nearly every organization considers itself a technology company, cybersecurity is a top concern. What happens when private information is compromised? Keri Pearlson, executive director, MIT (IC)3, moderated the MIT CIO Symposium panel “You Were Hacked — Now What?” to discuss this issue. Speakers Andrew Stanley, chief information security officer at Philips, and James Lugabihl, director of information security at ADP, offered a series of suggestions for how to manage security breaches.

The panel also distinguished between a hack and a breach. A hack involves the compromising of a host, but the adversary is not looking to extract data from an organization, whereas a breach occurs when a company actually has lost control of information. As Stanley points out, hacking is an action, while a breach is an outcome. When a breach is suspected, there are specific steps a chief information security officer (CISO) or an operational lead will take to mitigate the situation.

At the outset of any cybersecurity event, ask why. Knowing context will determine if the event is significant enough to be shared with the C-suite and board. If the matter demands escalation, it’s especially important to give C-level stakeholders context around a security breach.

When a significant breach occurs, the first thing a cybersecurity leader should do is assemble the right team. A CISO will call on a crisis management team comprised of legal representatives, network scanners, penetration specialists, and others who can investigate the event. Stanley notes that the C-suite will likely want frequent status reports (as often as on the hour), and the crisis management team needs to work together to set proper expectations with executives and to analyze the data they’re receiving in order to provide accurate updates. It may also be necessary to contact insurers or law enforcement, depending on the situation.

The crisis management team will, of course, do many things. One key action will be to look for trends. Investigating and correcting a situation unfolds over weeks, not hours, and identifying any patterns between the breach at hand and other events could prevent future incidents.

Finally, think about ways to prevent future incidents. While Lugabihl acknowledged that there really isn’t a foolproof way to protect organizations from future breaches, both panelists articulated some steps to take. Education is perhaps the most tangible. Stanley pointed to one example of a company that runs phishing campaigns; they send staff three fake malware emails to test their awareness of cybersecurity issues. If anyone clicks a link in a communication, he receives a message explaining the better way to manage phishing scams.