While most small businesses won’t have to deal with a data breach, it's critical to be prepared in case your company’s digital data is stolen or compromised by hackers. While larger companies tend to be the focus of media coverage, the reality is that small businesses are also victims of data breaches. According to the Verizon 2021 Data Breach Investigations Report1, small businesses (with fewer than 1,000 employees) were victims in 1,037 incidents, and in 263 of those cases, data was confirmed stolen. .

“Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face,” said Tom Pahl, Acting Director of the Federal Trade Commission’s Bureau of Consumer Protection. The FTC initiated a campaign in 2018 to help educate small businesses on how to help strengthen their cyber defenses and safeguard the sensitive data they store.2

A data breach can compromise information about your customers, or even your suppliers or partners. It can harm your reputation, as well as your bank account, while also leaving you with a feeling of vulnerability. It's critical that you take the proper measures to prepare for and help prevent breaches.

Have an incident response plan

For starters, you need to have an incident response plan: "a systematic and documented method of approaching and managing situations resulting from IT security incidents or breaches."3

While this is a term generally used at the enterprise level, small and medium-sized businesses (SMBs) can utilize a similar strategy at their own scale. According to Technopedia, the plan should consist of these six components:

  1. Prepare your staff and organization beforehand
  2. Identify the incident
  3. Contain the breach
  4. Fix the problem that caused the breach
  5. Recover the data  
  6. Identify lessons learned

Your plan should include details of what should be done, as well as which staff members would be in charge of which aspect of the plan. Who would interface with the IT team and pass their messages on to the rest of the company? Who would craft and send out a communication to those affected? Templates and examples of incident response plans can be found online to help you put your own version together.

Have a business continuity plan

In addition to an incident response plan, you also need a business continuity plan that can go into effect if a breach occurs and upsets your operations. A business continuity plan generally focuses on how to continue operations in the event of a natural disaster like a flood or earthquake, but in this digital age, a major hacking incident that interrupts computer operations can have results that are just as disastrous.

Try to imagine how your operations would be affected in a data breach, and what procedures you’d have to implement to get up and running again. The Department of Homeland Security details how you can set up a business impact analysis.4 Could you operate without computers for a short period of time? If not, how would you communicate with customers and vendors to let them know you’re temporarily closed? Could your team do some work offline or on their own computers, and then upload it once the system is up and running again? Your plan should involve regular testing to make sure people are prepared in advance. TechTarget has a good template for a digital disaster recovery plan.5

Make sure everyone is on the same page

Your incident response and business continuity plans should be easily accessible and made clear to everyone. Employees should know and understand all policies related to use of the IT infrastructure and how pertains to their jobs. Make sure that information about cybersecurity and your planned response to a data breach are included in new employee orientation and reviewed periodically by all employees.

Respond to breaches quickly

Finally, in the event a breach does occur, it's important to respond as quickly as possible. If you have your plans in place and are able to follow through on them, that will make this step easier. Assess the breach and determine its scope so you know what you're dealing with. Note when and how the breach occurred if possible, as well as when and how it was discovered. Be sure to document who discovered and reported the breach and when. Notify the police as soon as possible and provide them with as much detailed information as you can.

Most business owners don't expect to be the target of a data breach, and probably won't be, but you can't be too careful. Plan ahead and respond accordingly if a breach occurs.

  1. https://www.verizon.com/business/resources/reports/dbir/
  2. https://www.ftc.gov/news-events/press-releases/2018/04/ftc-launch-campaign-help-small-businesses-strengthen-their-cyber
  3. https://www.techopedia.com/definition/16513/incident-response-plan
  4. https://www.ready.gov/business-impact-analysis
  5. http://searchdisasterrecovery.techtarget.com/feature/IT-disaster-recovery-DR-plan-template-A-free-download-and-guide


The information provided is presented for general informational purposes only and does not constitute tax, legal or business advice. Any views expressed in this article may not necessarily be those of Nevada State Bank, a division of Zions Bancorporation, N.A. Member FDIC