What To Do If You’ve Suffered a Data Breach
Data breaches are a significant hazard to modern businesses. 2016 was a year of record breaches for business and security experts expect that 2017 will be no different.
And don’t think that SMBs are immune. In fact, cyber criminals have started to go after small businesses on purpose, largely because small business aren’t as protected as bigger targets.
So, what should you do once you’ve suffered a data breach?
Secure Your Data
You need to figure out how the attacks got in and seal the point of entry, but this might take time. Your first priority is to protect your data. Cut your network connections and secure your critical data.
Don’t wait. Once you’re aware that you’ve suffered a breach, you need to communicate with all the parties who could be involved. This could mean customers, clients, or your own employees.
Your first communication doesn’t need to be detailed and you certainly shouldn’t wait until after your full investigation, which could take months. Let all relevant parties know about the breach, what you think happened, what data might be compromised, who to contact if they need more information, what your next steps are, and finally, how sorry you are. Consider this email from Gabe Newell, head of game company Valve, which, at the time, had 30 million active accounts.
You will communicate once more, after your full investigation, but we’ll get to that.
If you’re a medium or larger organization, your IT person (or department) will already be in full battle stations mode. If this is the case, order coffee and doughnuts for their war room and stay out of the way.
If you’re a smaller business and don’t have a dedicated IT person, you will need to pay an IT freelancer to help you solve your problem. IT security is not an area where you want to cut corners and save money. Think of all your valuable business data: customer credit cards, clients intellectual property, banking records—all these things deserve better than cut-rate IT.
Make sure you and your IT support document everything you can about the breach. When you’re conducting a post-mortem, you want the who, what, when, where, how, and why in as much detail as possible. This will help you prevent attacks, prepare a better response in the case of future incidents, and may help you in the case of legal action.
Report to the Government
The law regarding data breaches in Canada is changing. According to amendments to the Personal Information Protection and Electronic Documents Act, you will soon be legally obligated to report your data breach to the Office of the Privacy Commissioner of Canada. Be aware that if you do business in the United States, you will also have to report your breach, although different states have different laws. You can find a summary here.
Communicate a Second Time
Once you have a full picture of what happened, communicate to all relevant parties a second time. You should explain what happened, exactly what data was compromised, how you will remedy the situation, and once again apologize.
The Bottom Line
If a data breach sounds like a bad day at the office, you’re right. The sad truth is that only 31% of SMBs actively guard against breaches. That’s too bad, because 70% of attacks are against SMBs, said attacks cost around $36,000, and it’s estimated that 60% of SMBs go out of business six months after an attack.
A data breach is one of the worst kinds of disasters a modern business can face, and we’ve written this because it’s a good idea to know how to respond to a disaster. However, it’s also true that it’s even better to guard against disaster in the first place. Most SMBs don’t guard against data breaches, but yours should. If you’re unsure of your protections against data breaches are, speak to your IT department right away.