Introduction
The success of any organization must be able to determine its strength and weaknesses (Denolf, Trienekens, Wognum, van der Vorst, & Omta, 2015). The paper at hand is aimed to analyze how the Critical Success Factors (CSFs) can be applied to the case study “Boss, I Think Someone Stole Our Data” to understand the level of organizational readiness, benefits of the company, and risk factors that will have to be addressed. The analysis will be supported by case examples and recommendations on risk management. Initial categories of risk are going to be identified and presented using the Example Risk Checklist.
Critical Success Factors (CSFs)
Regardless of the service or product, the organization offers, its success is determined by its ability to observe and maintain Critical Success Factors (CSFs). If the company fails to ensure that all the criteria are met, even the most elaborately designed project is likely to fail (Buh, Kovačič, & Indihar Štemberger, 2015). CSFs refers to a set of particular business characteristics (typically limited by 8) that may exercise a direct or indirect influence upon the viability of the idea underlying it and, therefore, upon the effectiveness of the expected outcome. The problem with CSFs is that they cannot be clearly defined as they are not universal for all enterprises. Every business and even every project within the same company may have its unique CSFs (Tan, Shen, Langston, Lu, & Yam, 2014). However, it is still possible to identify their major types:
- industry CSFs (appearing as a set of standards for a particular field or industry);
- strategy CSFs (characterizing the most effective, competitive parameters of the strategy selected within the business);
- environmental CSFs (referring to the most favorable strategic moves in the given economic circumstances);
- temporal CSFs (those that may not be permanent for the business but are used to meet the current needs of the organization to foster its future development) (Romanosky, Hoffman, & Acquisti, 2014).
As far as the given case study (Flayton Electronics) is concerned, the most demonstrative example from the case that allows determining the main CSFs is the issue of a data breach and the information security system that is currently unable to protect the information from unauthorized use. It is clear from the case that the company’s secret data can be modified, recorded, and even destroyed by third-side parties due to the staff’s negligence. Since the organization is unable to provide integrity and confidentiality, this means that security is presently the most pressing problem that has to be addressed by the major business strategy. This implies that not only computer systems must protect information from disclosure but also managers and employees must receive proper training to be capable of quickly resolving the situation in case another data breach suddenly occurs. Therefore, the most applicable CSFs at the current stage of its development are:
- staff education and coaching;
- management loyalty and commitment;
- staff motivation and orientation;
- high-quality data and reporting systems;
- improved protection of computers;
- improved system of communication;
- quick and effective decision-making;
- the increased role of the quality department;
- the capability of immediate action;
- improved abilities of managers;
- well-developed strategies.
Project Benefits, Organizational Readiness and Risk Culture
The key problem with the risk culture was that such data breaches affected the whole company, bringing all its processes into chaos. Moreover, it was next to impossible to find the one who was to blame for the whole failure. Even if all employees had been questioned, it would have been hard to determine who had caused the chaos (and who was legally responsible for it), how it was going to be solved, and what consequences were to be expected (Sen & Borle, 2015). At Clayton’s, the major concern was not even the data breach but the obligation of the company to protect the private information provided by its customers. Besides, there was a delicate concern since the company did not know what best way to choose to notify its clients about the possibility that their information could have been stolen. The majority of customers and other stakeholders wanted to know if the company had been subjected to the attack. Finally, there was no effective strategy that would allow the company to avoid future problems in this aspect.
After the team realized that the situation might repeat and the customer data could get breached once again, they came up with an immediate response to the problem. The organizational readiness for the situation was first and foremost supported by the fact that the CEO, Brett Clayton, did not ignore the issue, but was completely involved in it throughout the whole process (Biener, Eling, & Wirfs, 2015). All the employees somehow connected to the issue of data protection tried to collect more details on the problem to detect possible reasons that could bring about such deplorable consequences.
Another problem of risk culture was that the organization not only undermined its security policy but also put at risk all the customer information. However, the benefit of the project implemented by the organization was that the company guaranteed that all the information provided by its clients would be protected against any cyber attack whatsoever (Allodi & Massacci, 2017). Therefore, the customer could be sure that his/her card information would not be stolen at least because Flayton Electronics would not want any compromised cases on their hands. Performing any operations connected with their cards without their consent would be considered a legal offense and could undermine the legitimacy of the company’s actions.
That was why, to ensure that all the mentioned benefits could be materialized, the company had to do everything it could to protect the private information of its clients. The CEO opted for the implementation of the PCI system, which did not function at its full potential due to certain flaws in its firewall. In this particular case, it was not maintained properly, which impeded the work of the whole system and could not ensure total protection of data.
From the legal perspective, if the organization is unable to guarantee that the client receives all the due benefits, the company is obliged to suffer the consequences (fines, loss of customer loyalty, undermined image, and competitive disadvantage). Thus, no matter if the company was or was not ready for the blow, its direct responsibility was to ensure that no customer information was disclosed.
Recommendations
To save its reputation, the company must prove that the security breach was unexpected. The fact that the organization tried to implement a PCI system and did not achieve any success at least proves that some steps were taken to improve the situation. The problem was majorly in the firewall, which could bring about the notorious breach. This situation demonstrates that all the steps necessary for prevention were taken but did not lead to any results.
As for future recommendations, they are:
- the company must develop a solid plan that would allow its leaders to solve similar problems without letting customers know about them;
- effective internal control is necessary to ensure that all the components of the plan are implemented accordingly;
- preventive measures are crucial for detecting all problems occurring the systems; if any inconsistencies are found, they are removed immediately;
- all the key stakeholders must be informed about all serious occasions;
- the company must learn to identify if all its processes are adequate, its software is updated, its team is committed, and its staff is qualified enough.
Initial Categories of Risk
The initial categories of risk include (Feri, Giannetti, & Jentzsch, 2016):
References
Allodi, L., & Massacci, F. (2017). Security events and vulnerability data for cybersecurity risk estimation. Risk Analysis, 37(8), 1606-1627.
Biener, C., Eling, M., & Wirfs, J. H. (2015). Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance Issues and Practice, 40(1), 131-158.
Buh, B., Kovačič, A., & Indihar Štemberger, M. (2015). Critical success factors for different stages of business process management adoption–A case study. Economic Research-Ekonomska Istraživanja, 28(1), 243-257.
Denolf, J. M., Trienekens, J. H., Wognum, P. N., van der Vorst, J. G., & Omta, S. O. (2015). Towards a framework of critical success factors for implementing supply chain information systems. Computers in Industry, 68(1), 16-26.
Feri, F., Giannetti, C., & Jentzsch, N. (2016). Disclosure of personal information under risk of privacy shocks. Journal of Economic Behavior & Organization, 123(2), 138-148.
Romanosky, S., Hoffman, D., & Acquisti, A. (2014). Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1), 74-104.
Sen, R., & Borle, S. (2015). Estimating the contextual risk of data breach: An empirical approach. Journal of Management Information Systems, 32(2), 314-341.
Tan, Y., Shen, L., Langston, C., Lu, W., & Yam, M. (2014). Critical success factors for building maintenance business: A Hong Kong case study. Facilities, 32(5/6), 208-225.