When attending to a client's needs, service providers often apply a one-size-fits-all approach, following a well-worn playbook and handling the matter as a routine procedure.
This approach may work well in certain situations. But when dealing with sensitive matters such as a data breach and the possible compromise of company secrets or personally identifiable information, it's better to understand the client and their business and to work closely with the client when determining the proper actions to take.
"We operate on a feedback loop with our clients," says Stephen Kennedy, Director of Client Services, Managed Review, and Cyber Incident Response Services at Conduent. "We take that information, we look at it, we give them the results. They give us feedback. We incorporate that feedback, and we go through that process again until we're done."
Conduent is a provider of general business services to government and the private sector, and one of its specialized offerings is consulting companies that have suffered cybersecurity incidents in determining exactly what kind of client information was compromised and the proper follow-up actions to take.
"Typically, we come in after the breach has been contained, identified, contained and mitigated," says Kennedy. "We handle the human element of the response."
The development of such an intimate relationship can lead a service provider to become a true business partner, working alongside the client for many years to come as both companies grow and prosper.
Tailoring each response to the client
The better Conduent knows a client and its data, Kennedy says, the better the post-incident response process will be.
Generally, the client and its cybersecurity experts will determine which chunk of data was affected, and the client will then provide that affected dataset to Conduent to be scoured for sensitive information.
"Once they've identified what's been hit, they send us the data," says Kennedy. "We can tell you whether there's 300 people or 1,000 people or a million people, where they lived, and as much of their information, unfortunately, as is in that dataset."
To comb through vast amounts of incident-affected data, Conduent has adopted tools that it uses in its electronic-discovery (eDiscovery) business, which helps client organizations prepare for litigation by sifting through digital records for information pertaining to the cases at hand.
In post-incident response, however, Conduent uses the eDiscovery tools to search for personally identifiable information, health records, credit-card numbers and other data that could be exploited or monetized if it were to fall into the hands of bad actors. The core challenge is not dealing with huge amounts of data but finding the data that matters.
It's not just large enterprises and big corporations that have sensitive data that needs to be sorted out following a cybersecurity incident. There are a lot of smaller regional companies, including mom-and-pop-type businesses that get hit and have to deal with these incidents.
"We work with all comers," Kennedy says.
Minimizing the amount of data to be processed
A major part of the post-incident response process is pinpointing where exactly the sensitive data is located, then reducing the amount of data to be analyzed.
"We really try to drive down the amount of data that we look at and manage the process appropriately, keeping in mind the ultimate goals of the clients, which are typically to put a good-faith effort into defining who is going to be impacted or potentially impacted by a breach or by an incident," says Kennedy.
In many cases, this involves multiple Conduent analyses and client reviews of the data, an iterative cycle. Taking the time to carefully determine which data might be worth looking at is a valuable part of the post-incident response process, even if it may delay the notification of affected individuals.
There are times when it's not worth going through all the data. For example, if an organization has data on 12 million individuals, and it's clear that the personal data of at least eight million of those individuals was compromised, it would probably be more cost-effective to just notify all 12 million individuals of the breach than it would be to identify the four million who might not have been affected.
How to save a client half a million dollars
Kennedy cites one case in which an organization suffered a cybersecurity incident that compromised medical data scattered over nearly 4 million digital records. Conduent's task was to pinpoint which of those records contained personal health information.
"It was going to be a very expensive process to manually look at all of this data," he relates. "And we said, 'Look, we kind of have an idea.'"
Conduent could have looked at hundreds of thousands of daily patient updates, which would have cost a lot of time and money. But it quickly realized that the names of all those patients would also have been in the client's billing information, a much smaller dataset.
"Instead of reviewing 650,000 documents," Kennedy says, "we ended up reviewing like 15,000 documents."
The decision to limit the data analysis to that small set was entirely the client's, Kennedy emphasizes. Had the client insisted, more than half a million additional records could have been examined. But in this case, minimization meant cost-efficiency.
"We probably saved them close to half a million dollars by taking that approach," he says. "They were happy. The insurance company was very happy. Everybody got what they needed."
Kennedy explained that it's better to show the value of your service to the client and set the foundation for a long-term partner relationship than to exploit the situation for maximum billing value. Doing right for the client is always the goal, he adds.
"We don't operate in the darkness," he told us. "We want to make sure that we're going back to the client, because ultimately, they're the ones who make the decisions."
