What To Do After A Data Breach – A Guide For Business Owners
Data breaches are an everyday thing.
In the US alone, more than 34,000 cybersecurity incidents happen daily, and small-to-medium sized businesses are on the receiving end in 62% of the cases.
Make no mistake:
Prevention is still better than cure.
But if the statistics above are any indication, businesses of all sizes must also have a response plan ready in case of a data breach. Here are the essential steps you must take should your business fall prey to such an incident.
Uncover The Cause Of The Breach
Hacking, skimming, and phishing are the leading causes of data breach, accounting for 55.5% of all breaches according to the Identity Theft Resource Center. However, know that other causes exist such as:
- Insider theft
- Vulnerabilities while data is in transit
- Accidental email or internet exposure
- Employee error
- And physical theft
Notify your in-house IT department right after you discover the breach, so they may carry out a gap analysis and plan the next steps.
If you outsource your IT to a service provider, you should also consider bringing in a third-party IT expert who specializes in responding to similar incidents.
The breach happened with your current provider, and you don’t want their interest in keeping your business to get in the way of objective analysis.
From here, security professionals and engineers will have to capture all traffic ‘round the clock – whether from a laptop, server, or a printer’s remote diagnostics software. They will also have to record packets in the network for forensic analysis, while keeping a close eye for patterns and signs of problems in the archived traffic.
Fulfill Your Legal And Ethical Responsibility To Inform
Your clients, suppliers, and industry partners trusted you with their sensitive information. If the breach compromised their data, providing upfront and honest communication about the incident is the most ethical thing to do.
Stick to the facts gleaned from the analysis when talking to stakeholders about the breach. Otherwise, you will create more work as you’ll have to take back previous statements.
Instead, focus on what happened, the steps you’re taking to fix the problem, and how you’re helping the parties affected by the breach.
On the other hand…
Informing the data subjects may not be enough
You may also need to notify the government depending on the location of your business. Moreover, laws may also have strict deadlines in place for breach notifications.
If you’re in Europe, Article 33 of the General Data Protection Regulation (GDPR) requires businesses to notify the supervisory authority of the breach not later than 72 hours after becoming aware of the incident.
The breach notification should also include:
- A description of the personal data breach, including an approximate number of data subjects and personal data records affected
- Name and contact details of the data protection officer where the affected parties can get more information about the breach
- The possible effects of the breach, as well as the measures being taken to address the cyber security incident
In the United States, 46 out of the 50 states have laws that require breach notification. To learn more about the mandatory in your state, check out this page from the National Conference of State Legislatures’ website.
But while the pages above are useful, you will still want to sit down with a lawyer (who specializes in cyber security and privacy) to review the critical steps to take after a breach.
Here’s A Tip…
One of the best ways to minimize risks is to get insured against it.
So consider getting a cyber liability insurance cover (CLIC).
CLIC has been around for more than a decade now. However, information security and its technicalities are still foreign to most insurers and brokers. You will have to work more closely with your provider, but the extra effort will prove worth it.
A CLIC can come with coverage for:
- Data breach or privacy crisis management: The cost of managing the incident, the investigation, data subject notification, credit checking, and more
- Media liability: Examples include defacing of the insured’s website or infringing of intellectual property rights
- Extortion liability: Losses due to extortion (ex.: ransomware) as well as professional fees necessary to deal with the extortion threat
- Network security liability: Third-party damages due to denial of access and business interruption
As usual, you will want to read the fine print when shopping for CLIC to make sure your organization is getting the coverage it needs.
Prevent Future Breaches From Happening
You’ve identified the cause of the breach. Your IT team and third-party experts worked together to patch up the vulnerabilities. The data subjects and the authorities were notified of the incident, while your customer service team did a sterling job of helping those affected.
Back to business, right?
Sure, but only if you’ve taken steps to prevent similar incidents from happening again.
Fixing today’s cyber security and privacy problems won’t fix tomorrow’s, especially if the perpetrator of the breach is still at large.
Take the Sony Pictures hacking incident in late 2014, for example.
Government agencies, such as the FBI and NSA, got involved in the investigation and analysis of the attack. The authorities concluded that the attack came from North Korea – but that was it.
No one was brought to justice. The hackers even mockingly sent an email to the FBI linking to a YouTube video titled “You Are An Idiot.” They are still alive and well (and hacking) based on the evidence gathered from preceding incidents.
If you’ve been hacked or breached once, what’s stopping these cyber crooks from sneaking into your network again via a different vulnerability?
You must prepare for these future attempts, and training your workforce is the first step.
Your employees talk to customers via email, have access to sensitive documents and data, and use the company’s software to do their work. They’re vulnerable to hacking and phishing attempts. But equip your employees with enough cyber security know-how and they can help you stop threats before they get serious.
Aside from their day-to-day job, your employees must also know how to:
- Create and use strong passwords: A password must be at least 8 characters long, while using a combination of uppercase and lowercase letters, numbers, and symbols.
- Identify phishing or spoofing emails: The amount of spam sent via email grew four times from January 2015 to December 2016 according to the IBM Threat Intelligence Index 2017. Worse, about half of these emails have malicious intent.
- Enable two-factor authentication (2FA): 2FA adds an extra layer of protection over business accounts. Most cloud-based software and service providers offer this security add-on.
- Secure their mobile devices: Keeping smartphones, laptops, and tablets safe and secure is especially important if you have a Bring Your Own Device (BYOD) policy.
Next, you will want to give your IT department some love, too.
Sure, a breach just happened. Your business lost customers and money. Not to mention you could be facing legal issues. After all that has just happened, you may feel tempted to blame the IT department and their poor security practices.
But how much did you invest in IT and cybersecurity prior to the breach? If you’re like 47% of the companies (with 50 employees or less) in AT&T’s survey, probably not much.
Just like your marketing or sales team, the people in your IT department need your support to do good work. And until you provide the infrastructure and equipment they need, cybersecurity will always be a sore spot in your company.
Guest post courtesy of Nathan. Nathan is a serial entrepreneur, a lifelong learner, and business blogger at www.biznas.co.uk