It's every modern business's worst nightmare: You discover there's been a security breach, and your sensitive business and customer data has ended up in the hands of hackers.
While business owners may have some safeguards in place, the reality is that a data breach can happen to anyone at any time, especially small businesses. In fact, according tothe National Cyber Security Alliance (NCSA), 71 percent of security breaches target small businesses, and nearly half of all small businesses have been victims of cyberattacks. And unlike larger corporations, smaller companies don't always have the resources to recover: Experian reported that 80 percent of small businesses that suffer a breach go out of business after 18 months.
It's likely not possible to regain control of everything the hackers accessed, but you can still take action and salvage your trust and reputation with your customers and clients. Legal and technology experts shared their insights on how to best recover from a small business data breach. [Cybersecurity: 'Best of Breed' May Not Be Best for Small Businesses]
Identifying a data breach
You can't start recovering from a breach unless you know it's occurred. That's why it's critical to learn how to identify when something has gone wrong. The problem, of course, is that in many cases, there aren't any telltale signs you've been hacked.
"Often, businesses discover that they have been breached for the first time months after it happened, when they are informed by law enforcement, business partners, banks or the media — who themselves discover the businesses' data being sold on the black market," said David Zetoony, a partner with the international law firm Bryan Cave LLP. "Other businesses may have been breached months, or even years, ago and still do not know."
There are, however, a few things that may tip you off to a security problem. Francoise Gilbert, founder of IT Law Group, said that slow or lagging computer response time, pop-up windows that you can't close, client reports of spammy emails from your account, or strange programs or websites asking for your credentials could all be signs of a data breach. If malware or a virus is discovered on your system, you'll also want to investigate to see if any data was compromised.
Justin Bingham, chief technology officer for digital business solutions firm Janeiro Digital, warned companies that any noticeable issues are signs of a low-quality breach.
"If you've been compromised by someone that knows what they're doing, those signs are going to be few and far between, unless you have a sophisticated team and tools," Bingham said. "The best way to determine if you've been comprised is not to look for the attack, but what is done after it, when the hacker establishes residency within the network."
What to do when a breach occurs
Recovering compromised information from a hacker is impossible in most cases, Zetoony said. By the time you discover a breach, the hacker has already stolen or misused the information, and has often wiped his or her trail, he said. Therefore, your first priority after discovering a breach should be to piece together what happened, how bad the breach was and which customers might have been impacted, Zetoony said.
"Companies typically call their attorney and have him or her retain [a forensic] investigator who specializes in finding, preserving and analyzing electronic equipment and data," Zetoony told Business News Daily. "Lawyers that specialize in data security breaches typically advise companies concerning any legal obligation that they have to notify consumers, the public, insurance carriers or regulators."
In terms of equipment, Gilbert advised organizations to stop using the server, computer or device where the breach occurred. This will preserve evidence, so the forensic team can look into the cause of the problem.
"If the computer is not performing a vital function, disconnect it physically from its network and the Internet immediately," she said. "Copy and securely store the access and activity logs from the affected machine, [and then] attempt to identify the type, nature and categories of information that has been affected — company trade secrets, customer lists, payment and delivery information, etc."
Informing affected parties
Once you've assessed the initial damage and potential cause, your next order of business is to break the news to your business partners, vendors, customers or any other affected stakeholders. Nicholas Gaffney, a lawyer and founder of legal media relations firm Zumado, said it's important to have a response team in place that will work quickly to preserve and enhance the reputation of your organization after a data breach. This means having a team member assigned as the point person for official responses to inquiries about the breach, and being transparent and consistent in all communications about it.
If possible, your company — rather than an outside party, such as the media — should break the news of the breach. Gaffney said this will demonstrate the organization's concern for the affected parties.
"Create a statement about the breach, and communicate it through the appropriate channels," Gaffney said. "Commit to keeping all affected parties informed of developments related to the breach, following appropriate legal guidelines. Accept responsibility for the inconvenience caused, apologize, and make it clear that you will do all you can to help victims deal with the consequences of the breach."
"Provide information promptly, even if incomplete," Gilbert added. "You want the affected party to learn about the incident from you, and in your own words. Don't be vague, or if you have to be, explain why — because you are still investigating the incident and do not have all the details."
To that end, Zetoony said that any information you provide about the incident must be accurate and verified. As Gilbert noted, this may mean telling stakeholders that you don't have any information for them, and providing updates only when you are sure of the facts yourself.
"Although waiting can be difficult, providing them with speculation, or information that may turn out later to be false, only hurts trust and reputation further," Zetoony said.
Preventing future breaches
It's a long road to recovery after your company has suffered a data breach, but once you've gotten the situation under control, you can learn from it and work to prevent another incident from occurring. Bingham said there's a laundry list of best practices that should be employed, from perimeter network security to secure access mechanisms and route audits, but there is no "silver bullet" solution.
"Establishing security for a given organization requires constant vigilance and attention by trained and dedicated people equipped with the right tools employing industry best practices," he said.
Gilbert agreed that a highly trained and vigilant staff is the key to minimizing the risk and damages of future breaches. Your employees should take extra care when using company equipment and learn to recognize clues that could indicate compromised information. Additionally, she recommended conducting a periodic "sweep" of all personnel's equipment to catch any malware and security holes.
Most importantly, Zetoony reminded businesses that, given enough time, a data security incident is as inevitable as any other type of crime — but learning from it will help you handle it better going forward.
"If you view each breach as a learning exercise, you won't be able to stop them necessarily," Zetoony said. "But you can learn how to respond to them more efficiently, quickly, and with less impact to your business and your customers."