Mistake No 1: JD Wetherspoon didn't build in a plan for the removal of information when its old website was no longer needed.
As an article in WIRED explains, data is a renewable resource (similar to crude oil) and it's vital to maximise its value. But doing that isn't always an easy or quick process. “To truly maximise the value of data, organisations must rethink how they create, edit and store it,” says Arvind Singh in the article. “They must analyse the architecture and standards, quality, governance and management processes at every phase.” In the case of JD Wetherspoon, it should have created a plan for the entire data lifecycle – from creation to storage to finally, secure and permanent removal when the old website was no longer needed.
Mistake No 2: JD Wetherspoon failed to manage supplier risk.
By definition, supplier risk management is the process of predicting and preparing for the probability of variables, which may adversely or favourably affect the supply chain. While I don't have the inside story on what truly happened, it's safe to say that the company's IT, technology and legal teams were all involved in vetting and signing off on the contractual agreement to hire the outside vendor.
But unfortunately, supplier risk management isn't a one-time event and needs to be done repeatedly after the contract was signed. IT management teams should ask for regular (weekly, monthly, quarterly, annual) reports from vendors specifying their internal data security processes, data removal methods, tools and technology implemented and documentation. They should also conduct onsite visits (unscheduled) to review a vendor's protocols in real-time.
Mistake No 3: A crisis response plan wasn't created in advance.
Having a crisis response plan is critical for any business. But it shouldn't just be limited to customer complaints, product-related problems and staff behaviour. It needs to be a living and breathing document that's regularly updated based on frequent audits of your organisation's IT infrastructure as well as all of your third party vendors' processes, systems and tools. From there, it needs to then provide expected lead times for discovery and reporting of breaches, communication guidelines (to customers, media, stakeholders), hiring of outside risk consultants to assess the level of damage incurred and more.
Given that JD Wetherspoon blamed the delay in discovering the data breach on the fact that the data was held by a third-party company that hosted the company's old website (which has since been replaced and managed by a new partner), it's highly unlikely the company had any form of data breach crisis response plan in place. When companies fail to take this step – which isn't all that difficult – they don't just destroy their reputations in the marketplace and incur legal and regulatory repercussions; they contribute to their eventual decline in sales and stock prices.
Contributed by Pat Clawson, CEO, Blancco Technology Group