Your business has been hacked. It's bad news, but it doesn't have to cripple your operation.
Cyber-crooks increasingly are targeting small businesses to steal information such as passwords that lead to bank account balances and credit lines, customer data and sensitive product details. Hackers also may try to virtually hijack company computers or websites and use them to attack others online. They know most small businesses lack the security expertise, data protections and response tools that large companies have at their disposal.
Falling victim to a hack can be costly. Malicious or criminal data breaches on average cost victim companies $318 per compromised record in 2010, according to Traverse City, Mich.- based research firm Ponemon Institute.
But having a security recovery plan can make the process smoother and less expensive. Here are six critical steps to take if your business has been hacked:
1. Find out what happened.
To respond effectively, get a full picture of what happened, including how the hackers got in, which computers and accounts were compromised, which data was accessed or stolen and whether any other parties -- such as customers or business partners -- were affected.
This can be a difficult process involving costly security consultants, but you may be able to get less expensive help from companies you do business with, including your Internet service provider, security software company or website hosting firm. But the best route may be to contact your local, county or state police computer crimes unit and the FBI, which can do forensic analyses and provide valuable guidance.
Related: How to Protect Your Business's Mobile Devices
2. Seek legal advice.
If you don't have a special cyber-insurance policy that will provide an experienced attorney, you may need to hire one to navigate the legal issues. For instance, when hackers gain access to the personal information of customers or employees, you likely have a legal obligation to notify them, says Todd B. Ruback, a Warren, N.J.-based privacy attorney who specializes in data breach response.
You may also be required to alert state authorities. Because there isn't a federal data-breach notification rule, companies that do business nationally may have to comply with as many as 46 different state laws. You also could face liability lawsuits from affected parties.
3. Communicate early and often.
Quick and honest communication with affected employees, customers and partners -- about what happened, what you're doing about the problem and what they need to do -- is often more than just a legal requirement. It may be necessary to salvage your business.
"A data breach can be fatal for a small business" if monetary losses, the cost of rebuilding or reputation damage is high, says Michael Kaiser, executive director of the National Cyber Security Alliance, a public-private partnership based in Washington, D.C. "Maintaining trust in a crisis is the best way to hold onto your customers."
Related: Free Web Security Tools to Guard Your Business Browser
4. Eliminate the problem.
To limit the damage, you may need to take disruptive and costly steps, such as removing infected computers and shutting down your website while you clean up. Consider reformatting hacked computers and restoring data with clean backups, or simply buy new computers.
If hackers exploited a software flaw, apply a "patch" from the software maker that fixes the problem or implement a recommended workaround. If they stole passwords, secure your accounts and set new, complex passwords that will be hard to crack.
5. Rebuild.
Put in place the technology and policies to help fend off future attacks. Make sure your computer operating system and other software are current and, if possible, receiving automatic updates to fix bugs. Consider designating one computer for online banking only, meaning no Web surfing and no email that might expose you to malware designed for financial fraud.
Related: How to Protect Your Business from Malware in Custom Apps
6. Revisit your security plan.
Make sure your security defenses are running properly and that data is being backed up securely. Your IT manager should consider setting up activity "logging," or tracking, on all devices on your network so any future problems can be investigated more easily, says Brian Honan, principal consultant at Dublin, Ireland-based security firm BH Consulting.
Check with customers, partners and vendors to see what they're doing to protect your data. Consider buying a cyber-insurance policy if you don't already have one. Also, create a disaster recovery plan and train employees so everyone can respond quickly and calmly if faced with a hack or other crisis again.
Life insurance as low as $14/mo for $250,000 or $21/mo for $500,000 of coverage. Contact MetLife®
Comments:
Riva, great post and points to include. One more key step -- before anything even happens, run a fire drill. In other words, put a plan in place, and do a "mock" hack to see how the plan plays out in real time. That's a major step in developing effective crisis management plans and will help eliminate any weak spots. Cheers, Team Praecere, @praecere:twitter
This is a great post. Especially for companies that have virtual employees - you must have a security protocol signed by each person. One thing a lot of small business owners forget is that employees and employers have a different mindset. Your employee probably won't take initiative to protect your clients unless you tell them specifically how to do so. For example, most employees have no idea that credit card guidelines put out by AMEX or Mastercard. If they have access to this info, they need to know how to keep it secure.
Hi Riva , The seventh Step would to consult a Network security expert and devise a security plan for your complete network and applications , so that your IT team follows a Written documented policy and prevent Hacking attacks on your business in the future . You can get help from a Network security company to monitor your network and suggest you the necessary cost effective steps to step by step get your network to foolproof security and allow only authorized traffic to come into your network , this can be done thorough correct use of Firewalls , UTM , antivirus , IT audits and Responsible IT managers .
Hi Riva! Thank you so much for sharing this information. It is our responsibility to save our business and other information details from hacking. I hope the above mentioned six steps are very helpful to us if once our information has been hacked. Good informative post.
Riva - excellent recommendations. One additional note: if a business has a compromised website, they will need to investigate to figure out where the security vulnerability was, and then rollback their website to an uninfected version. Services like CodeGuard are extremely helpful, because they identify exactly what changed in the code and provide an easy way to quickly remediate.
It seems obvious, but businesses should definitely think about the web browsers they let their employees use and make sure that they're regularly updated. Found this blogpost particularly helpful in explaining why browsers are our biggest problem now: https://blog.whitehatsec.com/web-browser-the-single-most-important-online-security-decision-you-make/
As it is the time when social media and smartphones be more used for the marketing purpose. And there is less privacy or no privacy with these two way so it is general if business hacked. And here great points shared with all how to recover. And not just be disappointed but to move ahead in the direction of rebuilding the whole business and to learn from the mistakes. Thanks for such great article sharing with us.