Data Management Mistakes are not often talked about in a public forum.
When I find articles that deconstruct issues that companies faced in the real world I always like to pass them on o our readers.
This article outlines the data management mistakes that surrounded the JD Wetherspoon data breach. It covers the cause and mistakes that led to the problem. The article below offers some valuable lessons and some solid analytics for all of us.
Data Management News Story
As an article in WIRED explains, data is a renewable resource (similar to crude oil) and it’s vital to maximise its value. But doing that isn’t always an easy or quick process. “To truly maximise the value of data, organisations must rethink how they create, edit and store it,” says Arvind Singh in the article. “They must analyse the architecture and standards, quality, governance and management processes at every phase.” In the case of JD Wetherspoon, it should have created a plan for the entire data lifecycle – from creation to storage to finally, secure and permanent removal when the old website was no longer needed.
By definition, supplier risk management is the process of predicting and preparing for the probability of variables, which may adversely or favourably affect the supply chain. While I don’t have the inside story on what truly happened, it’s safe to say that the company’s IT, technology and legal teams were all involved in vetting and signing off on the contractual agreement to hire the outside vendor.
But unfortunately, supplier risk management isn’t a one-time event and needs to be done repeatedly after the contract was signed. IT management teams should ask for regular (weekly, monthly, quarterly, annual) reports from vendors specifying their internal data security processes, data removal methods, tools and technology implemented and documentation. They should also conduct onsite visits (unscheduled) to review a vendor’s protocols in real-time.
Having a crisis response plan is critical for any business. But it shouldn’t just be limited to customer complaints, product-related problems and staff behaviour. It needs to be a living and breathing document that’s regularly updated based on frequent audits of your organisation’s IT infrastructure as well as all of your third party vendors’ processes, systems and tools. From there, it needs to then provide expected lead times for discovery and reporting of breaches, communication guidelines (to customers, media, stakeholders), hiring of outside risk consultants to assess the level of damage incurred and more.
Given that JD Wetherspoon blamed the delay in discovering the data breach on the fact that the data was held by a third-party company that hosted the company’s old website (which has since been replaced and managed by a new partner), it’s highly unlikely the company had any form of data breach crisis response plan in place. When companies fail to take this step – which isn’t all that difficult – they don’t just destroy their reputations in the marketplace and incur legal and regulatory repercussions; they contribute to their eventual decline in sales and stock prices.
Following the outstanding success of our 2015 event, SC Congress is returning to London on 10 February 2016. Join hundreds of your information security colleagues to hear the latest news and analysis and to experience the latest solutions in cyber-security.
Generation Z, the internet generation, brings its own devices, but also its own apps and approach into the enterprise; Diana Wong explains how we must adapt our security to recognise …
Most organisations know about the phishing risks of social media – Ian Trump looks at why social media presents other risks to an employer, and what can be done about …
Wolfgang Kandek notes that a key concern for countries securing critical infrastructure is ensuring legislation compliance doesn’t limit flexibility, and asks if new German laws might provide a benchmark.
SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.