You’ve been hacked.
It’s every small business owner’s nightmare. And with cybercrime on the up, it’s not so much a question if your business is hacked, it’s when.
Because don’t assume that being a small business makes you immune. 85% of cyber attacks are on small businesses – that’s around 4,000 every day.*
So what should you do when it happens to you?
First, disconnect your device(s) from the network and from the internet.
Tell your customers. Fast.
State law varies on how fast you need to get the word out, but speed is of the essence here. So unless an investigation by law enforcement is in progress, you should report the data breach as quickly as possible.
You’ll need to notify every customer in writing that:
- A data breach has occurred
- The date it happened
- What kind of information has been compromised (was it credit card numbers, social security numbers or driving license details that were stolen?)
- Where they can find more information: a website, 1-800 number
- Details of credit monitoring agencies which will keep track of any fraudulent activity on their accounts
- What you’re doing to fix the problem
Find the cause
You need to find out how the breach happened. How were the hackers able to get in?
The most common causes of a data breach are:
- Weak/stolen passwords
- Device loss/theft
- Out of date software and/or IT systems
- Malware (malicious software)
- Use of unsecured networks (like public WIFI)
But it can be difficult to identify the problem, so if you don’t have in-house IT specialist, you might want to bring one in.
Once you’ve answered the ‘how’, you need to work out the ‘which’, ‘what’ and ‘who’:
Which computers and accounts have been compromised?
What data has been accessed or stolen?
Who’s affected? Your employees? Your customers? Your partners?
Check state law
Make sure you’re up to date on state laws around data breaches. California currently has the strictest statutes. It even has a template for businesses to follow when they’re informing customers.
The length of time you’re required to offer credit monitoring services to customers also varies from state to state. So do check. And do bear in mind that if you do business nationally, you may have to comply with as many as 46 different state laws.
And if you have to report a data breach to more than 500 customers, you’ll need to file a notice with your state attorney general’s office.
Contact law enforcement
Like any crime, cybercrime needs to be reported to law enforcement. So if the breach was caused by the theft of a device, a deliberate action by an employee, or a hack, tell the police.
In its attempt to crack down on cybercrime, the FBI wants the public to immediately report suspected criminal internet activity. But while over 350,000 cybercrimes were reported to its dedicated Internal Crime Complaint Centre (IC3) last year, the FBI estimates only 15% of victims actually report cybercrimes to law enforcement.
When your hands are full dealing with the fallout of a data breach, getting the police involved might seem like just another drain on your time. But if you’ve lost customer data, showing your business takes cybercrime seriously enough to try and track down the perpetrators is good for your reputation.
And maintaining your reputation after a cyber attack is vital. Even some of the big brands have failed to recover properly from a data breach, partly because of the damage done to their reputation.
Contain the damage
What’s worse than a data breach? Multiple breaches. So, once you’ve identified what caused yours, you need to remedy the situation as quickly as possible and contain the damage.
Shut down your website while you clean up. Run an anti-virus program. If hackers stole your passwords create new, more complex ones that’ll be harder to crack. Remove infected computers and either reformat them, or replace them.
If the hackers got in because of a software flaw, you could try fixing the problem with a patch. The software manufacturer should be able to supply one.
Rebuild and revisit your security
If you’ve been able to restore data and assets lost in the incident, you’ll want to put technology in place to help deter future attacks. Make sure your security defenses are running properly and data is being backed up securely. Check your software and operating system is up to date and is getting automatic updates and bug fixes.
Get an IT expert involved if you haven’t already, and ask them to advise what security measures you need to put in place.
Learn from your mistakes
54% of small business owners have no disaster recovery plan in place. A business continuity plan documents all the steps you need to take if there’s an incident that disrupts your business. And if you store or send any amount of data, you should have a detailed, step by step plan of what action needs to be taken if your business is hacked.
If you do have a recovery plan, you might want to review it. You might also want to update your firm’s policies on data security. Do your staff need more regular training? Should you be carrying out more regular tests so you can identify any weak spots in your defenses before they can be attacked?
Be prepared – get cyber coverage
It’s not the cyber attack itself that will shut your firm down, it’s the recovery cost. And as this averages around $120,000 it’s no surprise 60% of small businesses go under within six months of a an attack.*
Cyber liability insurance can take care of these expenses, including:
- The cost of investigating a data breach
- The cost of telling your customers there’s been a breach
- Legal fees and compensation costs if you’re sued for losing someone’s data
- Defense costs if you face legal action by local or federal authorities
- Payment of regulatory penalties or fines
- The costs of restoring data, systems and your website
- Income lost and extra expenses if a cyber attack stops you doing business
- Credit monitoring for victims of identity theft
- The cost of restoring your reputation and managing customer relationships
Cyber insurance can’t stop an attack, but it does mean your business will survive one.
You’ll find answers to some common questions about cyber insurance on our blog.
And for a free, all-you-need-to-know guide to keeping your business safe, download our Big Guide to Small Business Risk.
*statistics – USLI (Federal Trade Commission Statement, March 2017).