While most small businesses won’t have to deal with a data breach, it's critical to be prepared in case your company’s digital data is stolen or compromised by hackers. While larger companies tend to be the focus of media coverage, the reality is that small businesses are the most common victims of data breaches. According to the Verizon 2018 Data Breach Investigations Report1, small businesses represented 58 percent of data breach victims.
“Small businesses understand the importance of cybersecurity and the need to protect their networks and data, but many feel overwhelmed about how to address the myriad of cyber threats they face,” said Tom Pahl, Acting Director of the Federal Trade Commission’s Bureau of Consumer Protection. The FTC recently announced a campaign to help educate small businesses on how to strengthen their cyber defenses and protect the sensitive data they store.2
A data breach can compromise information about your customers, or even your suppliers or partners. It can harm your reputation, as well as your bank account, while also leaving you with a feeling of vulnerability. It's critical that you take the proper measures to prepare for and help prevent breaches.
Have an incident response plan
For starters, you need to have an incident response plan: "a systematic and documented method of approaching and managing situations resulting from IT security incidents or breaches."3
While this is a term generally used at the enterprise level, small and medium-sized businesses (SMBs) can utilize a similar strategy at their own scale. According to Technopedia, the plan should consist of these six components:
- Prepare your staff and organization beforehand
- Identify the incident
- Contain the breach
- Fix the problem that caused the breach
- Recover the data
- Identify lessons learned
Templates and examples of incident response plans can be found online to help you put your own version together.
Have a business continuity plan
In addition to an incident response plan, you also need a business continuity plan that can go into effect if a breach occurs and upsets your operations. A business continuity plan generally focuses on how to continue operations in the event of a disaster, but in this digital age, a major hacking incident that interrupts computer operations can have results that are just as disastrous. Try to imagine how your operations would be affected in a data breach, and what procedures you’d have to implement to get up and running again. The Department of Homeland Security details how you can set up a business impact analysis.4 Your plan should involve regular testing to make sure people are prepared in advance. TechTarget has a good template for a digital disaster recovery plan.5
Make sure everyone is on the same page
Your incident response and business continuity plans should be easily accessible and made clear to everyone. Employees should know and understand all policies related to use of the IT infrastructure and how pertains to their jobs. Make sure that information about cybersecurity and your planned response to a data breach are included in new employee orientation and reviewed periodically by all employees.
Respond to breaches quickly
Finally, in the event a breach does occur, it's important to respond as quickly as possible. If you have your plans in place and are able to follow through on them, that will make this step easier. Assess the breach and determine its scope so you know what you're dealing with. Note when and how the breach occurred if possible, as well as when and how it was discovered. Be sure to document who discovered and reported the breach and when. Notify the police as soon as possible and provide them with as much detailed information as you can.
Most business owners don't expect to be the target of a data breach, and probably won't be, but you can't be too careful. Plan ahead and respond accordingly if a breach occurs.
The information provided is presented for general informational purposes only and does not constitute tax, legal or business advice. Any views expressed in this article may not necessarily be those of Nevada State Bank, a division of ZB, N.A. Member FDIC