What to Do If Your Business Gets Hacked
Your business has been hacked. It's bad news, but it doesn't have to cripple your operation.
Cyber-crooks increasingly are targeting small businesses to steal information such as passwords that lead to bank account balances and credit lines, customer data and sensitive product details. Hackers also may try to virtually hijack company computers or websites and use them to attack others online. They know most small businesses lack the security expertise, data protections and response tools that large companies have at their disposal.
Falling victim to a hack can be costly. Malicious or criminal data breaches on average cost victim companies $318 per compromised record in 2010, according to Traverse City, Mich.- based research firm Ponemon Institute.
But having a security recovery plan can make the process smoother and less expensive. Here are six critical steps to take if your business has been hacked:
1. Find out what happened.
To respond effectively, get a full picture of what happened, including how the hackers got in, which computers and accounts were compromised, which data was accessed or stolen and whether any other parties -- such as customers or business partners -- were affected.
This can be a difficult process involving costly security consultants, but you may be able to get less expensive help from companies you do business with, including your Internet service provider, security software company or website hosting firm. But the best route may be to contact your local, county or state police computer crimes unit and the FBI, which can do forensic analyses and provide valuable guidance.
Related: How to Protect Your Business's Mobile Devices
2. Seek legal advice.
If you don't have a special cyber-insurance policy that will provide an experienced attorney, you may need to hire one to navigate the legal issues. For instance, when hackers gain access to the personal information of customers or employees, you likely have a legal obligation to notify them, says Todd B. Ruback, a Warren, N.J.-based privacy attorney who specializes in data breach response.
You may also be required to alert state authorities. Because there isn't a federal data-breach notification rule, companies that do business nationally may have to comply with as many as 46 different state laws. You also could face liability lawsuits from affected parties.
3. Communicate early and often.
Quick and honest communication with affected employees, customers and partners -- about what happened, what you're doing about the problem and what they need to do -- is often more than just a legal requirement. It may be necessary to salvage your business.
"A data breach can be fatal for a small business" if monetary losses, the cost of rebuilding or reputation damage is high, says Michael Kaiser, executive director of the National Cyber Security Alliance, a public-private partnership based in Washington, D.C. "Maintaining trust in a crisis is the best way to hold onto your customers."
Related: Free Web Security Tools to Guard Your Business Browser
4. Eliminate the problem.
To limit the damage, you may need to take disruptive and costly steps, such as removing infected computers and shutting down your website while you clean up. Consider reformatting hacked computers and restoring data with clean backups, or simply buy new computers.
If hackers exploited a software flaw, apply a "patch" from the software maker that fixes the problem or implement a recommended workaround. If they stole passwords, secure your accounts and set new, complex passwords that will be hard to crack.
Put in place the technology and policies to help fend off future attacks. Make sure your computer operating system and other software are current and, if possible, receiving automatic updates to fix bugs. Consider designating one computer for online banking only, meaning no Web surfing and no email that might expose you to malware designed for financial fraud.
Related: How to Protect Your Business from Malware in Custom Apps
6. Revisit your security plan.
Make sure your security defenses are running properly and that data is being backed up securely. Your IT manager should consider setting up activity "logging," or tracking, on all devices on your network so any future problems can be investigated more easily, says Brian Honan, principal consultant at Dublin, Ireland-based security firm BH Consulting.
Check with customers, partners and vendors to see what they're doing to protect your data. Consider buying a cyber-insurance policy if you don't already have one. Also, create a disaster recovery plan and train employees so everyone can respond quickly and calmly if faced with a hack or other crisis again.