Major Data Breaches within Organizations
The case of the premier presents several issues that demonstrate significant data breaches within the organization. It is essential to start by analyzing some of the fundamental problems that are in one way or the other related to the significant data breaches. The top management of premier outsourced data management services. This means that the data center for this company is at Q data. IPremier bought a service space, power, and communication system, so all the hardware is at Q data. According to Khong (2007, p. 112), outsourcing such services is not wrong, but the issue may arise when dealing with sensitive information. The first significant breach of this case is that this service was outsourced to a different company other than premier. IPremier has access to vital customer information, including their credit cards. The contract that this company has with its customers does not disclose that these critical pieces of information are in the third hands. Customers know that it is the company that has access to such vital information about them. However, it comes out that this information is managed by Q data, a company that has no direct business contract with the customers. This is considered a breach.
Some customers are particular when it comes to accessing their personal information. The premiere was wrong in allowing third parties direct access to and full management of its customers’ sensitive information. The cause of this breach might have been the company’s desire to maintain efficiency in service delivery by outsourcing some services that needed technical expertise. This was a strategic move, but one that may have some profound implications. Allowing third parties to access the vital customer information, including their credit cards, may pose a severe danger to the firm. The values of the outsourced company may not be the same as that of the premier. This means that the customer information, and other classified data, may not be handled as correctly as may be desired by the stakeholders at the premier. This could be one of the main reasons why the attack occurred.
The second breach that occurred based on this case was the attack on the website. Customers, staff members, and all other major stakeholders of this company expect to access the information from this company. However, this was not the case on this particular night. The website was locked up. At this stage, it was difficult to determine whether this was happening at Q data, or the problem was emanating from a different location. Denying customers access to the relevant information in itself is a breach. Customers trust that they will always be allowed to access the relevant information from this company. If there are any common technical issues, they need to be informed in advance. However, this did not happen, and when they contacted the firm, they were not given any concrete explanation. As Clark and Stoddard (2005, p. 25) say, when handling the customers’ information, it is always necessary to ensure that they are informed in cases where significant changes may disrupt service delivery. This was not done because the company did not expect this to happen.
The third breach of data was done by Joanne when she finally accessed the data center at Q data. IPremier has been operating on a smaller disc space than necessary for a company that has experienced massive growth over the past few years. The phone conversation between the head of the IT unit and Tim shows that detailed logging was disabled because the disc had limited space.
The outsourcing of the services at Q data did not help improve the disc space, and this explains why it was necessary for Joanne to visit the data center. However, this poses fundamental issues because Q data offers services to other organizations. This means that Joanne would be a third party if she was allowed to access the data center at Q data. Although the case does not reveal whether or not she did have access to information from other customers of Q data, the fact that she was in control of the system and that she had the technical knowledge to access different databases is in itself a breach. This is aggravated by the fact that technicians at Q data at this hour had no experience of knowing whether she was going beyond her mandate.
In-sourcing the Data Center
According to Abrahamson and Eisenman (2008, p. 720), there are cases when a company may need to in-source some services, especially when dealing with sensitive information. The case study about premier and Q data reveals a severe data breach that makes it necessary for the premier to consider undertaking this task in-house. This makes it essential for the firm to redesign its business process through business process reengineering. Kezar (2005, p. 650) defines business process reengineering as “A business management strategy, originally pioneered in the early 1990s, focusing on the analysis and design of workflows and business processes within an organization” (p. 634). According to Nissen (2003, p. 510), it is essential when redesigning operational processes. The case reveals that these are the issues that need to be addressed at the premier, and it justifies the need to in-source the data center. Bertztiss (2004, p. 104) says that during such business process reengineering, there are specific steps that need to be followed in order to achieve the desired results. The researcher proposes a four-stepped business process reengineering model that should be used by this firm in this new strategy. The following diagram shows the four-stepped business process reengineering model.
The first step, as proposed in this model, is to identify the business process (Green & Hatch 2002, p. 301). As shown in the case study, the business process is the data center, which is currently posing fundamental problems that threaten the existence of this firm. The management has decided to in-source this service. This is the business process that will be focused on. Orman (2008, p. 212) says that the business process that needed to be reengineered must be defined in unambiguous terms. This means that other than identifying the process, it will be necessary to clearly state the related systems that may need to be redesigned in this process of reengineering. As per the case, there will be a need to completely overhaul the design and the personnel currently handling it at Q data.
According to Earl, Sampler, and Short (2005, p. 48), the second step is to analyze the current processes. This involves identifying some of the issues that make the existing system ineffective. It has been stated that the current process has some fundamental problems that may threaten the very existence of this firm. There has been a severe data breach that puts the information of the customers and their credit cards at the mercy of criminals with ill intentions. This breach can be directly blamed on the ineffectiveness of Q data, which was given the responsibility of managing the data center. The breach has not been handled effectively by Q data, and an employee of the premier was forced to rush to Q data in order to address the problem. This means that Q data is not doing what it is paid for by premier.
The next stage will involve designing and documenting a revised process that will address the problems that have been identified. In this case, the data center will be transferred from Q data to the premier. The management will need to install the hardware at its own premises in the IT department. The current employees may need some training on how to manage the hardware. It may also be necessary to hire an extra workforce to handle the new tasks that have been in-sourced. Bob, the head of the IT department, may need to coordinate with the finance department to get the right funding for this project.
The final stage will be the implementation of the revised process. This will involve starting the operation of the call center at premier after installing the hardware and the software that is needed. The management will need to conduct regular training of the employees to make them able to handle the tasks. The company will also need to invest in the infrastructure.
References
Abrahamson, E & Eisenman, M 2008, Employee-management Techniques: Transient Fads or Trending Fashions, Administrative Science Quarterly, vol. 53. no. 4, pp. 719-744.
Altinkemer, K, Ozcelik, Y & Ozdemir, Z 2011, Productivity and Performance Effects of Business Process Reengineering: A Firm-Level Analysis, Journal of Management Information Systems, vol. 27. no. 4, pp. 129-161.
Bertztiss, 2004, Software Methods for Business Reengineering, Journal of the Operational Research Society, vol. 48. no. 1, pp. 104.
Clark, T & Stoddard, D 2005, Inter-organizational Business Process Redesign: Merging Technological and Process Innovation, Journal of Management Information Systems, vol. 13. no. 2, pp. 9-28.
Earl, J, Sampler, J & Short, E 2005, Strategies for Business Process Reengineering: Evidence from Field Studies, Journal of Management Information Systems, vol. 12. no. 1, pp. 31-56.
Green, F & Hatch, E 2002, Does Business Process Reengineering Diminish the Quality of Work Life, Social Indicators Research, vol. 60. no. 3, pp. 299-307.
Kezar, 2005, Consequences of Radical Change in Governance: A Grounded Theory Approach, Journal of Higher Education, vol. 76. no. 6, pp. 634-668.
Khong, C 2007 Business Process Reengineering: Breakpoint Strategies for Market Dominance, Interfaces, vol. 27. no. 3, pp. 112-114.
Nissen, M 2003, Redesigning Reengineering through Measurement-Driven Inference, MIS Quarterly, vol. 22. no. 4, pp. 509-534.
Orman, L 2008, A Model Management Approach to Business Process Reengineering, Journal of Management Information Systems, vol. 15. no. 1, pp. 187-212.