It goes without saying that Number One among a list of data breach recovery tips is… Prevention! Do everything you can to make sure it doesn’t happen! Ever!
It also goes without saying that, when human beings are involved, no prevention plan is foolproof. With this in mind, we would like to refer you to the Data Breach Recovery Guide for Business from the Federal Trade Commission (FTC).
Once you discover there’s been a breach, or may have been, STOP and do the following:
- Prevent additional loss of data – Once you’ve been hacked, the machines in your network become vulnerable to additional attacks. To prevent this from happening, you must immediately “Take all affected equipment offline immediately but do not turn any machines off until the forensic experts arrive … If possible, put clean machines online in place of affected ones. In addition, update credentials and passwords of authorized users. If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you’ve removed the hacker’s tools.”
- Talk to anyone who discovered the breach – Gather all the information you can from anyone and everyone who may have realized your business data has been hacked. “Also, talk with anyone else who may know about it. If you have a customer service center, make sure the staff knows where to forward information that may aid your investigation of the breach. Document your investigation [and save it for investigators to review].”
Remove any private information that has been hacked and/or posted to the web.
- “Your website: If the data breach involved personal information improperly posted on your website, immediately remove it. Be aware that internet search engines store, or “cache,” information for a period of time. You can contact the search engines to ensure that they don’t archive personal information posted in error. (They’ll help you clear your cache.)
- Other websites: Search [the internet] for your company’s exposed data to make sure that no other websites have saved a copy. If you find any, contact those sites [to explain what happened] and ask them to remove it.”
If the data was stolen from a brick-and-mortar location, paper files you may have in storage for example, immediately take action to ensure you’re no longer vulnerable:
- Secure physical areas potentially related to the breach. Lock them down and change access codes, if needed. Ask your forensics experts and law enforcement when it is reasonable to resume regular operations.
- Closely monitor all entry and exit points, especially those involved in the breach.
- Save any evidence (or potential evidence). Don’t destroy any forensic evidence in the course of your investigation and remediation.
Readiness is Critical to Recovering from a Data Breach
Few small business owners can afford to invest in a full-time IT department, with experts who can help you recover from a breach, r put systems in place to prevent them. However, being ready to respond if you are hacked will go a long way toward ensuring you can recover.
If your business is not big enough to employ at least one “IT guy” (or gal), you’re going to need to outsource IT support services to a local company. These experts can help you with both prevention and recovery, through remote monitoring and on-site follow-up.
If you want to make sure you do not become one of the six in ten small businesses that go bankrupt after a data breach (see previous post), contracting with a reliable IT support company will be a solid investment.
They can also guide you through the requirements for notification of a data breach, both legal and ethical. Yes, there are a number of legal steps that must be taken, with the Breach Notification Rule, outlined by the FTC
Rules for Data Breach Notification
Protecting your client’s personal information, as well as your own, is your responsibility. With this in mind, and under the FTC’s Rule, companies that have had a security breach must:
- Notify everyone whose information was breached.
- Notify your bank and creditors that your information was stolen.
- Notify the credit bureaus, if necessary.
- In some cases, notify the media.
- Notify the FTC.
Now, having said all of this (and likely giving you a few nightmares), we will ask you to be patient with us because we will be sharing data breach prevent tips in our next post in this series.
In the meantime, the VBP team is here to help you with more data breach recovery tips, and prevention. If you have questions for us about cybersecurity for small businesses and how you can protect yours, get in touch with VBP today.