Small Business Data Breach Recovery Guide

Small Business Data Breach Recovery Guide

Employees don’t typically think of themselves as being on the “front lines” of digital security for a business. A quick audit of the staff for any small or medium-sized business would likely yield a wide range of “expertise” when it came to security knowledge.

This is part of the reason that inevitably, the dual-role employee is a staple in every small business. The accounting department also acts as IT support in many cases or some equivalent example. We’ve talked about this being an “OK” solution for a short time.

Ultimately, the patchwork nature of this process becomes unstable and will lead to even more disaster.

This is DOUBLY true when it comes to cybersecurity. Assuming that staff all share a collective intelligence about cybersecurity is problematic. In the modern business landscape, when data can be a business’s most valuable asset, employees of a business are the proverbial DOOR which allows or denies hackers the opportunity to steal and exploit that data.

The landscape of cybersecurity is constantly changing as criminals innovate new ways to engage in theft. Unfortunately, humans are still the weakest link in this chain. Since the frequency of attacks won’t be getting less, we wanted to discuss exactly what a data breach means for a company today, and some ways that teams can keep the digital door closed to would-be hackers.

What A Cyberattack Means for a Business

When we said that humans are still the most common cause for a data breach, it wasn’t simply in reference to staff. Executives, too, are duped by hackers in a variety of ways.

The most common culprit is a phishing scam.

In 2017, the Identity Theft Resource Center (ITRC) noted that there was a 126% increase in the number of records exposed by data breaches which contained sensitive, personally identifiable information. With so many high-profile breaches making headlines recently, cybersecurity professionals stress that the public needs to stop asking what if and start preparing for when their information is compromised.

This doesn’t excuse companies that are the source of a data breach. Far from it.

Consumers are holding companies more responsible when it comes to handling sensitive data, and regulators in the United States are not far behind. So, what are some general rules to follow for a company that’s been the victim of a data breach?

Understand Obligations, Secure the Leak, Understand Details, Act Quickly

Timing is extremely important for businesses (and their customers) in these situations. But it’s also essential to understand what happened before the announcements start coming from the business. In some cases, the announcement of a data breach before all the facts are present can make the situation worse.

There are federal and state laws that will dictate how notification needs to occur for certain industries, understanding these obligations should be priority number one. Legality aside, companies that are straightforward with their customers stand a better chance of mitigating damage to the reputation of their business.

While this is happening, a forensics team should be working to quickly fix the vulnerability that caused the data breach. Not “plugging the hole” can lead to multiple attacks which creates more headaches.

The team dedicated to researching the breach can include a variety of disciplines but often have a combination of folks from information security, legal, information technology (IT), human resources, management, communications or others.

The Federal Trade Commission has a guide for businesses that have suffered a data breach. They offered this advice for stopping additional data loss:

Take all affected equipment offline immediately— but don’t turn any machines off until the forensic experts arrive. Closely monitor all entry and exit points, especially those involved in the breach. If possible, put clean machines online in place of affected ones. In addition, update credentials and passwords of authorized users. If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you’ve removed the hacker’s tools.

When the vulnerability has been identified and patched, and all the data has been collected and analyzed the dialog with the public can be much more actionable. This announcement can include internal staff and external clients, customers, etc. In general, it’s helpful to be sincere in communicating the issue, and provide as much detail as possible.

Customers are naturally going to start to digest what this means for them, so companies should make a point about providing conclusions of the event, describe potential solutions for users that were impacted. And don’t be afraid to invite a dialogue about the event. Customers knowing that a business has an interest in their well-being after the event can create more goodwill in the long-run.

Internal educational efforts are perhaps the greatest tool a company has toward safeguarding their data.

Class is in Session

By now, the headline-grabbing data breaches involving major technology companies like Yahoo, Facebook and Experian have earned privacy and digital security a spot within the mainstream conversation. This article won’t be able to provide a comprehensive, one-size-fits-all guide for educating staff about cybersecurity.

A security audit with a managed service provider can provide insight that an internal team (not the accounting team doubling as IT) might be missing. But there are some general guidelines that are worth following when it comes to educating your staff about cybersecurity.

  • Ensure staff understand the data being collected and why – Everybody is busy at their job, and in some cases, the silo-effect takes over. Something as simple as understand WHAT data is being collected from customers, and WHERE it’s being stored can make a huge difference in the kind of diligence employees show toward cybersecurity.
  • Avoid scare tactics – Building awareness and obtaining buy-in from staff is easier with a carrot than a stick. The goal at the end of the day is to improve security and awareness, employees who feel anxious about making a mistake are less likely to retain the information.
  • Avoid using email as the delivery platform ­– This might come as a surprise, but sometimes employees ignore emails. With a topic as important as cybersecurity, this information is better presented in an “all-hands” method, if possible. Consider a semi-formal presentation with videos, or infographics. These training sessions can be a great way to provide examples of what a phishing email could look like, and how to tell if the sender of the email is legitimate or a hacker in disguise.
  • Introduce staff to outside technology partners (if used) – It’s much more common for businesses to outsource network security services, and IT support to managed service providers (MSPs). Including information about the vendor, what they do, and how to contact them in the event of an emergency can go a long way if an employee suspects something unusual is happening within the network.

Education is the best defense against cybercriminals, especially as the threat landscape continues to evolve.

Simply put, employees don’t know what they don’t know and not everyone spends their downtime reading up on cybersecurity (we do, but that’s different). It’s like we put it in our February Newsletter, leaving cyber security for your entire business in the hands of an antiquated antivirus program and wishful thinking is irresponsible at best, but more likely a ticking time-bomb waiting to wreak havoc on the reputation of your business and the security of your customers.