You’ve just got word that your website host has become the victim of a data breach.
And although the full extent is still unknown, it’s entirely possible your business has lost control of sensitive client information or other important data.
How you respond from here is of utmost importance.
After all, the cost of a data breach will frequently run into the millions.
This article explains what to do should you find yourself in this terrifying and increasingly common situation.
Prepare Ahead of Time
Granted, it’s a little late now to write an in-depth incident response plan. However, proper preparation is so important that we’ll cover it all the same.
After all, “prevention is better than cure,” as the old saying goes.
Work closely with your web host to ensure your software is up to date and the latest security protocols are in place.
If you’re running a business that deals with highly sensitive data, it’s best to invest in a system capable of providing a high level of security such as a dedicated server.
Aside from tightening up these areas, you’ll also want to draw up a data breach response plan ahead of time which includes the contact details of relevant third parties.
On a related note, you may also want to check out this article on ten things to learn from web host data breaches.
Review Your Obligations
Depending on where you’re based and the specifics of the breach, you may be obliged to report the situation to customers and the authorities within a set timeframe. Failing to comply with such legal obligations will add significantly to the magnitude of the breach.
Ask your web host if they can provide advice on who must be informed and when. If they’re unable to help, consider consulting an attorney.
Be careful not to forget your ethical obligations either. Oftentimes, it’s better to provide more information than what is legally required in order to keep customers informed and prepared.
Keep Calm and Follow Protocol
Take a deep breath and try not to panic.
The last thing you want is to formulate a haphazard response. In fact, studies show businesses that rush their responses lose more money in the long run. Follow your incident response plan methodically while ensuring you comply with all regulatory requirements.
A reputable web host will be able to help with a response plan, which typically follows these steps:
1. Identify the Breach
Work out how the breach occurred. Was it the result of ransomware, malware, an open firewall port, outdated software, or perhaps just a lost laptop?
2. Isolate the End Points
Once you’ve figured out how the bad guys got in, it’s time to find a way to keep them out. Isolate the vulnerable system and eradicate the affected endpoints to prevent further intrusion.
3. Let the World Know
Communication is a key component of an effective data breach response plan. More often than not, it’s a legal requirement as well.
Immediately let your staff, vendors, and third-party suppliers know about the data breach and how it affects them. Train in-house staff on how to respond to outside inquiries, which usually entails referring the matter to your public relations team.
Promptly inform customers of what’s happened, what data is at risk, and what you are doing to rectify the situation.
4. Investigate, Document, and Improve
Treat your data breach as a learning experience by investigating and documenting the relevant details.
Throughout the process, log all results through a data capture so you can perform an in-depth analysis.
Among other things, you’ll need to validate the breach, identify vulnerabilities, and formulate a mitigation and remediation plan.
Could you improve your network endpoint security, update your antimalware tools, or improve your antiphishing policies? Now is the time to earmark potential security improvements to safeguard your business from future data breaches.
Get Professional Help
Of course, following the above data breach response plan is easier said than done. After all, many small to medium-sized businesses just don’t have the in-house expertise. In these situations, it’s wise to seek outside help.
Depending on the specifics, your web host may be able to offer some assistance. However, it might be necessary to contract third-party specialists as well. Website security platforms such as Sucuri can be perfect for this purpose.
Legal firms can advise on reporting obligations, cyber-security specialists can provide technical assistance including a post-breach security analysis, and public relations firms can help formulate an effective communication plan.
Obviously, all this outside help is going to be expensive. However, depending on the nature of the breach, it could well prove to be a wise investment. A proper and professional response will reduce consumer fallout, rebuild trust in your brand, and ensure your business doesn’t make the same mistake again.
Tell the Truth, the Whole Truth, and Nothing but the Truth
Transparency is another crucial factor in responding to a data breach. Businesses needn’t only inform their customers of the occurrence, but they must also endeavor to be as honest and accurate as possible.
Use a variety of channels including social media and email to achieve the greatest communication reach. Clearly outline the facts as well as the steps your business has taken to mitigate the issue.
Not only will this approach help keep customers onside, but it may also be a necessary part of complying with your cybersecurity insurance policy if you have one.
Online payday loan company Wonga provides a great example of what not to do. Rather than promptly and directly informing affected customers, they uploaded a small notice in a difficult-to-see section of their website. Understandably, consumers weren’t impressed.
Don’t Forget Your Customer Service
Your resources will be stretched in the event of a data breach. Nevertheless, it’s paramount to keep customer service at the forefront during the entire ordeal.
Focus on customer service as a separate issue, especially if the breach has directly affected the customer experience. It may be necessary to train staff on how to deal with anxious customers or even contract additional help.
If possible, look for cost-effective ways to compensate affected customers.
Under no circumstances should you attempt to profit off the situation. Remember the Equifax data breach? The company later tried to charge anxious customers for freezing their credit reports, which further tarnished their already-battered reputation.
Responding to a Data Breach
Data breaches are a sad reality of the modern world, and small to medium-sized businesses are no less at risk.
By following an incident response plan with a methodical approach, you can reduce the impact of the breach and minimize the likelihood of it happening again.
The Average Cost Of A Data Breach Is Highest In The U.S. [Infographic]: https://www.forbes.com/sites/niallmccarthy/2018/07/13/the-average-cost-of-a-data-breach-is-highest-in-the-u-s-infographic/#5af5b8f32f37
Data Breach: Why Small to Mid-Sized Businesses Are More Vulnerable Than You Think: https://www.ssnesbitt.com/small-mid-data-breach-vulnerability/