You see it all the time—news stories about huge brands that are targeted in a data breach. As a consumer, you likely feel anger or at least annoyance each time a big business admits that a hacker has accessed your account. But as a small business owner, maybe you felt something else, that nagging fear in the back of your mind that it could be you next.
Small businesses are the victims of around 43% of data breaches. Yikes!
When it happens to you, it can feel like an insurmountable challenge. Getting hacked is bad, yes. But it’s manageable—as long as you know how to respond.
If you need to freak out, set a timer and give yourself a few minutes to scream and wail and punch a pillow. Get it all out. Then take a deep breath and get down to business.
The first thing you need to do is figure out exactly what’s going on. Before getting outside help, make sure you have the following information at hand:
- What kind of attack was it? Did an employee click the link in a phishing email and inadvertently load a virus to their device (and potentially others connected to it)? Or did a hacker find a vulnerability in your CMS or SaaS product that allowed them to slip in and access your data? Where the hack originated and whether it primarily affects a particular device or tech product will play a key role in determining the best way to handle it.
- How many customer accounts were affected?
- Can you identify the vulnerability that allowed the hack to happen and which devices are infected?
If you’re like most small business owners, you’ll be out of your depth figuring this out on your own. Research cybersecurity experts in your area that help small businesses and make some calls to find someone with the expertise to help you get answers. Before making a hire, ask them about specific times they’ve handled something similar for a client and what the results were. Hands-on experience is more important than flashy certifications.
Also check if they’re willing to help both with solving your current problem, and with setting you up with a stronger security foundation moving forward. Even better, will they train you and your team in the main cyber security skills you need?
Now it’s time to treat the problem and minimize damage as much as possible.
If the hack started with a virus loaded to a particular computer or device, figure out which machines are affected and take them offline to stop the risk of it spreading. If an employee’s account was used to infiltrate the system, revoke their access to the rest of the system while you work on the fix.
If the issue is tied to a compromised cloud product you use, work with the vendor to learn the extent of the issue and next best steps to take. At the very least, you’ll want to change your passwords with them, but you may also want to consider an alternative product with better security.
Avoid taking your full network down if possible while you work on fixing the problem, as that would cause more disruption for your business. Disconnecting the main applications at fault and taking infected computers offline will help keep the rest of your system safe.
You may be a victim here, but that doesn’t mean you don’t have specific legal responsibilities. Set up a meeting with a lawyer who can keep you informed of any state laws that govern how you should handle a hack.
They’ll talk you through the steps to take to stay on the right side of the law as you manage the breach. For example, in Connecticut, a business is required to offer a free year of credit monitoring after a hack, a step it would be easy to overlook without a lawyer’s help.
This part’s hard, but necessary. Admitting what happened will lead to angry customers and may lose you the loyalty and trust of some. But sitting on the information when your customers could be taking steps to protect themselves is much, much worse. If it comes out later that you knew and said nothing, you’ll face far bigger consequences than being upfront to begin with. And in many cases, this step is a legal requirement.
In your notice to your customers, include:
- A report of what happened, including the type of attack it was and when it occurred
- Details on any personal information that may have been compromised, such as email, password, address, credit card number, driver’s license number, or social security number.
- Information on what your company is doing to fix the problem and minimize risk to them.
- Suggestions for what they can do next to further protect themselves, such as setting up credit monitoring or freezing their credit accounts. Consider offering free credit monitoring to concerned customers as a courtesy.
Before you draft the notice, check with your lawyer to see if it meets the legal requirements for your state.
In some states, you’ll need to file a notice of breach with the state’s attorney general. Certain industries, such as health care and finance, have additional reporting requirements. The FTC also recommends calling your local police department (PD) to report the breach, or the local office of the FBI or secret service if your local PD is unfamiliar with how to handle a data breach.
If scrambling to get a data breach under control teaches you anything, it’s how much you never want to do it again. Use this as an opportunity to tighten your company’s security moving forward.
If you hired a cyber security expert to help you manage your data breach, they can be useful at this stage too. Create a plan that encompasses:
- Steps you can take now to improve your company’s cyber security
- Actions you and your team should take on a regular basis moving forward
- A strategy for handling a future hack
Everything’s easier to handle when you have a plan. Attach specific steps to clear deadlines so they actually get done.
Allowing multiple people backend access to your website and business applications is unavoidable in most businesses. But to reduce risk, you can place limits on the level of access each person has based on their role.
Website hosting companies generally allow you to control user permissions, as do many content management systems and applications. Wherever possible, limit access to just those people who need it to do their jobs.
Set up two-factor authentication.
Most people use the same password for multiple accounts, it’s human nature. But it means if an employee’s password is revealed in another company’s data breach, a hacker could try to use it to access your internal systems.
Two-factor authentication provides an extra level of security by ensuring that anyone who accesses their account is who they say they are. You can set it up for all internal employees (as well as customers), making it that much harder for outsiders to access any sensitive internal data.
Everything you do to protect your business can be negated in a moment by an employee error made out of ignorance. To avoid future data breaches and credit card fraud, your team needs some cyber security 101 training.
Some good lessons to include are:
- **Software and system update requirements:** These updates routinely provide security patches to vulnerabilities the vendor discovered. Train your employees to always update their OS, CMS, applications, plugins, and software as soon as a new version becomes available.
- Strong password guidelines: Common password options like “123456” and “password” won’t cut it. Set requirements to ensure they pick strong passwords that are long and include a mix of character types.
- Fraud red flags to watch out for: Ecommerce employees must be on the lookout for fraudulent purchases. Train them in how to recognize them and respond when they occur.
- How to recognize phishing: If one person clicks on the link in a phishing email, it puts the whole business at risk. Teach employees how to spot phishing emails so they go in the spam folder where they belong.
Consider cyber insurance.
Hopefully, taking these steps will save you from ever having to deal with this nightmare again. But hackers are smart and good at finding ways around the protections we put into place. Cyber insurance won’t save you from the trouble of another hack, but it will ensure your business has the financial cushion you need to weather it.
Nothing you do to protect yourself from cyber attacks is permanent. The techniques fraudsters use evolve, and you need to as well. At least once a year, set up security audits. This includes hiring cyber security experts to test your networks to find potential vulnerabilities hackers can exploit.
It could also involve examining the tech you use now to make sure it provides the best protection options for your business. Consider your CMS, plugins, web hosting platform, payment platform, and other business applications. Do they provide the top-of-the-line security your business needs?
And it should include revisiting the cyber security plan you created to see if it still holds up.
Regular security audits keep you from getting complaisant and help you stay on top of changing risks.
Running a business is exhausting and, understandably, cyber security isn’t top of mind most days when you have a thousand other things on your to-do list. But when a hack happens, everything else on that list goes out the window until you get it fixed.
Instead of panicking, use this list to help you create a plan for moving forward. Call in experts for guidance. Bite the bullet and show transparency to your customers. And get to work making sure it doesn’t happen again.
Among other potentially expensive mistakes to make as a business owner? Letting chargebacks run rampant. Chargebacks — often caused by friendly fraud — can add up, but if you download our Reducing Chargebacks Guide, you’ll get our favorite actionable tips on how to minimize your losses (and prevent them in the future). Download it below: