Data breach is one of the most likely risks businesses have been exposed to in recent times as a significant number of work processes have been digitised. Protecting the information of the customers and the business transactions carried out is the sole responsibility of the company handling this. Regulators have defined norms to follow and the science around them has been evolving. How are companies dealing with these evolving scenarios?
Co-opting several stakeholders
Companies often think that the root cause of the data breach is outsourcing and hence, they tend to either stop the practice or pool everyone into the basket of all kinds of risks that they face. They feel, this approach is robust, and they will be able to hold many vendors into account just in case there is a breach or a deep attack on their infrastructure.
In reality, no vendor or employee can singularly bear the burden and fulfil the responsibility of protecting the company’s data and network to the extent it is described in the contract. Hence, they often go by the best-effort basis and offer a pragmatic solution. Sometimes, companies incur higher costs due to this approach of building a megastructure when the need might not be for it.
Some companies take a stance that outsourcing of employees, infrastructure and software must be stopped to mitigate the risks. However, this is not a sound method because a breach can happen despite building the system and managing it in-house using one’s employees. The probability of attacks on the company network, theft or other forms of compromise leading to data loss is no less than that on the outsourced partner’s network being run by outsourced employees.
What about the solutions?
The company must acknowledge the reality and assess the risks. It must evolve the mitigation methods with the help of outsourced employees and partner organisations, as applicable. Then it has to take on the role of governing the execution of those methods and making necessary course corrections. Success lies in identifying the risks, developing methods to mitigate those risks and ensuring that the methods are in action effectively.
Educating the stakeholders on an ongoing basis and influencing them to follow the best practices on an ongoing basis is an important factor for success. Many organisations invested in their IT capabilities and migrated their business processes online, however, did not build adequate capabilities to use those systems effectively. Thus, the larger organisation needs to understand why certain practices need to be followed so that external forces cannot drill a hole in their IT infrastructure and damage it. Regular monitoring and continuous improvement are the solutions that companies have to seriously practise.
Keeping it relevant on an ongoing basis
Technologies have been transforming on an ongoing basis and hence, companies have to create an adequate capability to keep evaluating the relevance of the new technologies for their context and if the returns of investment on the IT capability are in line with the industry norms. We do not have to buy and deploy the latest technology unless there is a clear business case for it. And similarly, we cannot be caught in the inertia that our systems suffer from obsolescence or lack the edge that the competing companies might be using to their advantage in the marketplace.
Secondly, working with outsourced partners and employees give us flexibility in costs and the decision of insourcing a team or a project if there is a business case for it. Secondly, the outsourced team brings its expertise in certain skills and bring diverse inputs to the table; these valuable advantages must be leveraged by a company than having everyone in-house which can potentially lead to a frog-in-the-well syndrome.