Data breaches are occurring with sickening regularity. The major media covers the largest and most newsworthy of these events, reporting on the numbers of accounts that were hacked, the money lost and the impact on business. You can appreciate the major disruption in business and the overall impact of the breach but for most small businesses there is also the feeling of, “we’re too small so it probably will never happen to us.”
I wish you were correct but unfortunately, that’s not the situation. Small to mid-sized companies are hacked as well and although it won’t be reported in the media be certain that the incidents have caused stress, pain, and suffering.
Here are three things you must do if your business has been hacked:
- Take action and inform your customers
We’ve heard about the good, the bad and the ugly when it comes to letting people know about the incident and it appears that many large companies did not immediately report the situation to the very people whose information was stolen. In some cases, it was months or years later before the news “got out.” You have an obligation to inform your customers as quickly as possible even if you are still in the midst of investigating the situation in its entirety. State laws will vary on the speed with which the information needs to be sent out, whether or not you must provide impacted consumers with credit monitoring for a specific period of time and whether or not you need to file a notice with the state attorney general’s office. Learn about your specific obligations BEFORE an incident occurs so that you will be ready to act should there be a data breach.
- Immediately activate your contingency plan
If you’ve been hacked you will get a very fast education on exactly how dependent you are on your IT infrastructure and how much your business can suffer if you have to shut down for any length of time. I am hoping that well before a data breach occurs you have created a contingency plan that allows you to be operational while your cyber security resources get you back up and running. Clearly, a contingency plan has to be created in ADVANCE of an incident and so if you are reading this and have nothing in place, take heed. Creating the plan once the breach has happened is clearly too late. If you’ve been hacked, move fast so that the negative impact is reduced.
- Contact your cyber insurance provider
This is another example of being prepared. Cyber insurance is a “must have” for businesses that gather and retain critical customer data. The policies can vary depending on the data that you gather however it is relatively inexpensive and can save you a significant amount of money in the long run. While having the insurance will not prevent a breach, it can give you the peace of mind that comes from knowing your financial exposure will be limited.
Of course, the very best strategy is to know exactly where you are vulnerable, make any appropriate changes and then put in place cyber security monitoring that can minimize your susceptibility.
For more information and a frank discussion about cyber security, feel free to contact me at firstname.lastname@example.org.