Attacks on small- and medium-sized businesses, including startups, get less media attention but those organizations have just as much to lose.
More than half (55 percent) of the nearly 600 small- and medium-sized businesses surveyed by the Ponemon Institute reported being hit by a cyber attack in the past year, and 50 percent said they experienced a data breach involving customer and employee information over the same time period. It cost these companies an average of $879,582 in damage to or theft of IT assets and an average of $955,429 due to the disruption of operations, according to Ponemon’s “State of Cybersecurity in Small- and Medium-Sized Business,” which was released in June 2016.
The survey revealed, among other things, that negligent employees or contractors and third parties caused most data breaches. Strong passwords and biometrics are believed to be an essential part of the security defense; however, of the companies that have a password policy, 65 percent said they do not strictly enforce it. Further, many respondents reported they do not require employees to use a password or biometric to secure access to mobile devices.
Many small companies say they don’t have sufficient personnel, budget or technologies to support strong security measures. According to respondents, the biggest problem is not having enough personnel to mitigate cyber risks, vulnerabilities and attacks (67 percent). Insufficient budget (54 percent) and insufficient security technologies (44 percent) were also cited.
Given the likelihood of a cyber attack, it’s crucial to have a plan in place to handle the aftermath. The Federal Trade Commission (FTC) recently issued guidelines on how to recover from being hacked. “Data Breach Response: A Guide for Business” covers how to secure operations, fix vulnerabilities and report the incident to the appropriate authorities. Of course, the exact steps will depend on the scope and nature of the data breach and the structure of each business.
Secure operations. Start by assembling a team to investigate the breach and respond. This may include IT, legal, operations, human resources and communications personnel. Consider hiring independent forensic investigators to help determine the source and scope of the breach.
Prevent additional data loss by taking all affected equipment offline immediately until they can be examined by forensics experts. Remove any improperly posted information from your website and search for exposed data to make sure that no other websites have saved a copy. Finally, change the credentials and passwords of authorized users.
Fix vulnerabilities. First, examine what personal information service providers can access and decide if you need to change their access privileges. Verify that service providers are taking the necessary steps to prevent another breach.
Check your network segmentation to determine whether your segmentation plan was effective in containing the breach and find out if measures such as encryption were enabled when the breach happened. Review logs to determine who had access to the data at the time of the breach. Also, analyze who currently has access to the data and who needs to continue having it during the recovery period.
Determine your legal obligations. It may be necessary to hire outside legal counsel to determine and address state and federal legal obligations. Most states have legislation requiring notification of security breaches involving personal information. Additional regulations may apply depending on the type of data involved in the breach.
Notify the appropriate authorities. Call the local police department immediately to report the situation and the potential risk for identity theft. In the event that local police aren’t familiar with investigating data breaches, contact the local office of the FBI. If a data breach involved electronic health information, your business may be covered by the Health Breach Notification Rule. In that case, the FTC must be notified. If your business is covered by the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, the U.S. Department of Health and Human Services must be notified.
Communicate with affected audiences. A comprehensive communication plan should address all affected audiences, including employees, customers, investors, business partners and other stakeholders. Anticipate questions that people will ask following the data breach and don’t withhold key information that might help consumers protect themselves and their personal data. Do not publicly share information that might put consumers at further risk.
If account access information such as credit card or bank account numbers have been compromised but your business doesn’t maintain those accounts, notify the institution that does so it can monitor those accounts for fraudulent activity. If your business collects or stores personal information on behalf of other businesses, notify them of the data breach.
The odds of getting hacked are stronger than ever these days, although too many small companies believe they don’t have enough resources to protect themselves against hackers, much less the resources to mount an investigation and notification plan. Yet any business that handles consumers’ sensitive personal information is subject to certain legal obligations and therefore can’t afford not to adequately respond to a cyber attack.