In a nutshell: You’ve probably heard by now how to strengthen your cybersecurity defenses. But what should you do if, despite all your precautions, you find yourself the victim of a data breach?
It’s probably one of your worst nightmares: You’ve been hacked. Especially for small businesses that don’t have a dedicated IT department, a data breach can be devastating. According to the recent Ponemon Institute’s Cost of Data Breach Study, sponsored by IBM, the average cost of a data breach is $3.62 million, and the average cost for each stolen record is $141. The cost alone (never mind the tarnished reputation) may cause some small businesses to close their doors in fear!
Unfortunately, while small business owners and employees are aware of how to reduce the risk of a cyberattack, they still happen. And small businesses are often targets. According to Inc.’s “Why Your Business Might Be a Perfect Target for Hackers,” reasons are that small businesses may often have weaker online security, use technology that doesn’t have strong encryption, and serve as an entry point for more businesses like vendors or customers (some which may be large corporations with millions of records). In addition, laws safeguarding commercial bank accounts aren’t as strong as those for personal accounts.
If your company is the latest victim of a data breach, what should you do next?
Take everything offline
Your No. 1 priority is to stop the attack. The only way to ensure hackers aren’t continuing to access your sensitive data is to take all your computers and servers offline. Just be sure you don’t delete anything so IT forensics experts can investigate. If you have information hosted anywhere else, like on a cloud server, notify the vendor immediately so they can take the steps necessary to protect it.
Hire Outside Experts
Unless cybersecurity is your business, you’ll need a team of experts to help you navigate a cyberattack. A firm that specializes in data breaches can provide IT forensics services, partner with you to inform victims and help you rebuild your reputation. There are myriad federal and state laws regarding cyberattacks and data breaches, and a professional will ensure you do everything legally expected of you. They can guide you through this crisis – from investigation to future state.
Involve Legal Counsel and Local Law Enforcement
Legal counsel with experience guiding companies through a cyberattack should be a member of your outside expert team. Depending on the type of information that was accessed, your counsel will be able to tell you what you need to communicate to victims. At the least, you’ll likely be required to inform affected parties that their personally identifiable information (PII) has been accessed without authorization. If health information was involved, to be compliant with the Federal Trade Commission’s (FTC’s) Health Breach Notification Rule, you’ll be required to notify each affected US citizen, the FTC and, in some cases, the media. Local law enforcement needs to be made aware of cyberattacks as well, so they can investigate the case or inform state or federal authorities.
Don’t Hush It Up
While there are rules that regulate notifications in a data breach situation, your reputation may depend on how forthcoming you are about the issue. Hiding it is out of the question. But you may want to consider telling more than what’s legally required. Coming out with a well-thought-out message will be important as victims will often have questions about what has happened and what they should do next. Try to predict what victims may want to know and address it before they can ask.
Find Out What Happened
Leave this to the experts. But be sure you get a full report on how the data breach happened. This is important because it’s the only way to protect yourself from a future attack. If a malicious outside party hacked your computer system, there may be a few red flags that will indicate this is the case. According to CSO’s “12 Signs You’ve Been Hacked – And How to Fight Back,” they include redirected Internet searches, frequent random pop-ups, fake antivirus messages and ransom messages.
An ounce of prevention is worth a pound of cure but cyberattacks can still occur to businesses doing their due diligence. So, if your company is a victim of the latest data breach, follow the steps above to start down a road to recovery.