At the rate hackers are breaking into businesses computer records, chances are unfortunately pretty good that your startup has already been compromised in some way. The odds are so strong, in fact, that the federal government recently released guidelines to help businesses of all sizes recover from a cyber attack.
Yahoo disclosed at the end of 2016 that a 2013 data breach put more than 1 billion customers’ accounts at risk—the biggest data theft of all time from a single website. This revelation followed the news that a 2014 breach compromised at least 500 million accounts. The Internet media giant blamed the second attack on an unidentified foreign government but said it had not identified the hackers behind the first one, the Associated Press reported in December. In both incidents, hackers accessed customers’ names, email addresses, phone numbers, birthdates and security questions and answers.
Data breaches make headlines when they occur at big companies that should have the resources to protect themselves from hackers. In addition to Yahoo, hackers victimized Snapchat, Linkedin, and Verizon Enterprise Solutions, all in 2016 alone.
Attacks on small- and medium-sized businesses, including startups, get less media attention but those organizations have just as much to lose.
More than half (55 percent) of the nearly 600 small- and medium-sized businesses surveyed by the Ponemon Institute reported being hit by a cyber attack in the past year, and 50 percent said they experienced a data breach involving customer and employee information over the same time period. It cost these companies an average of $879,582 in damage to or theft of IT assets and an average of $955,429 due to the disruption of operations, according to Ponemon’s “State of Cybersecurity in Small and Medium-Sized Business,” which was released in June 2016.
The survey revealed, among other things, that negligent employees or contractors and third parties caused most data breaches. Strong passwords and biometrics are believed an essential part of the security defense; however, of the companies that have a password policy, 65 percent said they do not strictly enforce it. Further, many respondents reported they do not require employees to use a password or biometric to secure access to mobile devices.
Many small companies say they don’t have sufficient personnel, budget or technologies to support strong security measures. According to respondents, the biggest problem is not having enough personnel to mitigate cyber risks, vulnerabilities and attacks (67 percent). Insufficient budget (54 percent) and insufficient security technologies (44 percent) were also cited.
Given the likelihood of a cyber attack, it’s crucial to have a plan in place to handle the aftermath. The Federal Trade Commission (FTC) recently issued guidelines on how to recover from being hacked. “Data Breach Response: A Guide for Business” covers how to secure operations, fix vulnerabilities and report the incident to the appropriate authorities. Of course, the exact steps will depend on the scope and nature of the data breach and the structure of each business.
Secure operations. Start by assembling a team to investigate the breach and respond. This may include IT, legal, operations, human resources, and communications personnel. Consider hiring independent forensic investigators to help determine the source and scope of the breach.
Prevent additional data loss by taking all affected equipment offline immediately until they can be examined by forensics experts. Remove any improperly posted information from your website and search for exposed data to make sure that no other websites have saved a copy. Finally, change the credentials and passwords of authorized users.
Fix vulnerabilities. First, examine what personal information service providers can access and decide if you need to change their access privileges. Verify that service providers are taking the necessary steps to prevent another breach does not occur.
Check your network segmentation to determine whether your segmentation plan was effective in containing the breach and find out if measures such as encryption were enabled when the breach happened. Review logs to determine who had access to the data at the time of the breach. Also, analyze who currently has access to the data and who needs to continue having it during the recovery period.
Determine your legal obligations. It may be necessary to hire outside legal counsel to determine and address state and federal legal obligations. Most states have legislation requiring notification of security breaches involving personal information. Additional regulations may apply depending on the type of data involved in the breach.
Notify the appropriate authorities. Call the local police department immediately to report the situation and the potential risk for identity theft. In the event that local police aren’t familiar with investigating data breaches, contact the local office of the FBI. If a data breach involved electronic health information, your business may be covered by the Health Breach Notification Rule. In that case, the FTC must be notified. If your business is covered by the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, the U.S. Department of Health and Human Services must be notified.
Communicate with affected audiences. A comprehensive communication plan should address all affected audiences, including employees, customers, investors, business partners, and other stakeholders. Anticipate questions that people will ask following the data breach and don’t withhold key information that might help consumers protect themselves and their personal data. Do not publicly share information that might put consumers at further risk.
If account access information such as credit card or bank account numbers have been compromised but your business doesn’t maintain those accounts, notify the institution that does so it can monitor those accounts for fraudulent activity. If your business collects or stores personal information on behalf of other businesses, notify them of the data breach.
The odds of getting hacked are stronger than ever these days, although too many small companies believe they don’t have the enough resources to protect themselves against hackers, much less the resources to mount an investigation and notification plan. Yet any business that handles consumers’ sensitive personal information is subject to certain legal obligations and therefore can’t afford not to adequately respond to a cyber attack.
This article was written by Samantha Drake from Forbes and was legally licensed through the NewsCred publisher network.
Latest posts by Samantha Drake
- Chances Are Your Startup Is Going To Get Hacked – Here’s What To Do - February 6, 2017