Data breaches have been in the news of late. They range from seemingly minor incidents to those which affected hundreds of thousands of customers at companies
like search engine giant Google. The breaches can be relatively innocuous, such as an email address being exposed; to critical, where clients’ sensitive data is exposed and monetary losses are realized. Exposing your clients’ data can strain relationships and even put your business’s survival at risk if they are severe enough.
So what should you do if you’ve been hacked? Here is our list of 7 things you should do before/after you discover you’ve been hacked:
1. Be prepared – You should have a plan in place prior to any adverse event. Develop and stress test your disaster communications BEFORE anything negative occurs. This plan should have a list of potential events that would require an immediate and measured statement from the company.
2. Data theft can shut down your business for weeks or months while IT experts work to re-secure your network. You’ll need to do serious damage control with your existing customers, and create ways to keep sales channels open. These might include having a backup network or reverting to old-fashioned methods of selling, such as taking orders by phone or paper.
3. Know the law – There are serious potential consequences in failing to properly report and manage a data breach. Make sure you know the applicable state and federal laws as well as who must be notified and how quickly this must occur.
4. Inform your clients – As soon as you become aware of a breach, notify your clients. You should make them aware as soon as practicably possible. The only exception is when law enforcement is involved and has specifically instructed you not to disclose the breach. Every customer should be notified in writing. The written notification should inform them of the time, nature and extent of the breach and what data was exposed.
5. It is also advisable to set up a dedicated phone line to handle customer inquiries related to the breach. Most companies elect to pay for a subscription service to one of the credit monitoring services. Be advised that certain states (California for example) require that a specific template and verbiage be used when a certain number of parties are affected.
6. File appropriate notifications – Notify local and federal law enforcement; the level of their involvement will depend on the size, scope and nature of the breach. State law may also require you to notify the state attorney general’s office. Some regulated industries have specific rules related to notifications. For example, companies regulated by the SEC, FINRA or that fall under HIIPA have specific protocols for handling data breaches.
7. Call in an expert – Forensics and cyber security teams can determine how a breach happened, and in some cases even who did it. Most importantly, they can help harden your defenses and take steps to reduce the likelihood of a recurrence.
8. Consider getting cyber insurance – Some specialty insurers offer cyber insurance which indemnifies the company against losses related to a breach. The cost of this insurance can vary by state, industry and company size. Cyber insurance may also reimburse a firm for the cost of remediation of system(s) and providing credit monitoring.
- Implement IT best practices – If individuals have access to import systems or IT infrastructure, they should be following best practices. Frequent changes of passwords and the use of complex, non-reusable passwords is a must. Restrict the use of unapproved programs and media from the network. Computers should use locking screensavers and be physically secured when not in use. Guest Wi-Fi should be segregated from business networks. Key servers and network infrastructure should be kept in a physically secure, failsafe environment.
Thoughtful advanced planning can go a long way towards securing your organization against hackers, ransom seekers and ne’er-do-wells. But if a breach does happen, act swiftly and control the situation as quickly and thoroughly as possible.
