You can be on Entrepreneur’s cover!

How To Protect Your Small Business Against A Data Breach How much does a data breach cost your business and what can you do about it?

By Sergey Ozhegov

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur Middle East, an international franchise of Entrepreneur Media.

Shutterstock

Data breaches are a growing threat, vitally important for companies of all sizes and trades. According to Gemalto, 1,792 incidents were recorded throughout the world in 2016, which led to the compromise of 1.4 billion data records, which is 86% higher than in 2015.

A study by IBM and the Ponemon Institute shows that in 2016 the average damage from a data leak incident escalated to a record US$4 million. According to the opinion poll of info-security professionals during SearchInform Road Show 2016, most often companies lose data about customers (25%), technical information (18%), documents containing commercial and trade secrets (18%), and personal data (15%).

It should be emphasized that the culprit of a data leak can be either an external attacker or an employee of the company. According to the recent Dell End-User Security Survey, 72% of employees are willing to share confidential information. In the financial sector, this percentage is the highest - 81%. At the same time, 65% of the respondents indicated that among other duties they must insure the protection of confidential data. Causes of data leakage vary: from negligence and inadvertence to mercenary motives and industrial espionage. Nevertheless, the Dell survey shows that most employees violate safety rules, sincerely believing that it helps their companies and makes their work more efficient. And this happens even though 63% of the interviewed employees have been trained to improve their knowledge and skills in the field of information security.

Effectively, it is impossible to ensure 100% protection against data leakage. Moreover, it is unwise to rely on the fact that employees understand and correctly evaluate all risks associated with data leakage. Therefore, it is worthwhile to consider in advance what a company should do in the event of a data breach incident. Here is a high-level plan for that:

1. Don't panic
The most negative situation is when you learn about a leak accidentally - from loyal customers or from the internet, for example. It means that your security system does not work at all or isn't properly configured. If you have an opportunity to investigate the incident in hot pursuit - when the DLP system quickly discovers that the outbound traffic contains confidential information, for example - there is still a chance to right the ship. First and foremost, restart, accelerate, change, or even cancel the decisions and the business processes associated with stolen information. These measures would save company's money and allow you to proceed with further actions: investigation and mitigation of consequences.

2. Identify the culprit of the leak
This step is necessary because it will help to prevent similar incidents in the future. In a small company, you can ask IT specialists to check corporate mail, proxy server logs, and other traceable gateways. In medium and large companies, there is no alternative to powerful search algorithms of DLP systems. A modern company works with overwhelming amounts of information each day, and it is impossible to analyse it manually. In addition to a DLP solution, access control system, SIEM and video surveillance systems would help to reconstruct the chain of events and conduct a full-scale investigation.

3. Identify the instigator
Once the insider is identified, the next step is to find out the end beneficiary. In the event of a purposeful leak of information, with substantial evidence against the insider it is usually easy to prompt the insider to come clean and uncover the instigator. Once you have the full picture of the incident, you could start mitigating potential consequences.

4. Understand the problem and assess the impact
What kind of information left the perimeter of the company? Commercial offers, financial plan, customer base? Or a few documents marked "strictly confidential"? Determining the boundaries and significance of the problem at this stage is very important. This will serve as a starting point for further action. What's better, solve the problem of one's own bat or engage the law enforcement? If the information is really important, and the only security tools you have are the passwords for the employees' PCs, it is better not to risk and get any help available. If there are experienced professionals working in the information security department of the company, then in most cases it is better to try to calmly sort it out on your own.

5. Mitigate the consequences
There is no magic pill that would solve all the problems associated with data theft and leakage. Such incidents are individual, and so are the consequences and mitigation measures. However, there are some broad guidelines:

  • Understand what other information, besides the leaked one, could be compromised.
  • Report the leak to the impacted party. That is especially important when there is a high probability that people will learn about the leak themselves. Besides, it helps the affected party take some action to protect themselves. So, make sure to inform them.
  • In case the information about the leak has become public, make sure to launch a PR campaign to diffuse the impact of the leak. If you don't have any PR specialists, hire an agency. Be open with the media and tell the audience about the measures that you're taking to prevent such situations in the future. This will show the customers that you care about them.

Related: Combating Cyber Crime: Your Company Needs To Be Resilient
Sergey Ozhegov

Chief Executive Officer of SearchInform

Sergey Ozhegov is a co-owner and the CEO of SearchInform, a technological information security company focusing on protection of business and government institutions against data theft and other harmful activities. He joined SearchInform in 2004, after graduating from the Faculty of Mechanics and Mathematics at Belarus State University, and spent several years working in sales and business development before he was promoted to the position of CCO in 2009, eventually becoming the CEO of the company in 2015. 

Most Popular

See all
Side Hustle

This Insurance Agent Started a Side Hustle Inspired By Nostalgia for His Home State — Now It Earns Nearly $40,000 a Month

After moving to New York City, Danny Trejo started a business to stay in touch with his roots — literally.

By Amanda Breen
Starting a Business

This Teacher and Mom Was Investigated by the Department of Education (Twice) for Being Too Good. She Used the Experience to Create a Million Dollar Business.

The CEO of Top Score Writing discusses how she founded her curriculum company and the lessons learned along the way.

By Jessica Abo
Thought Leaders

Do You Need Real Estate Training to Succeed? Here's What You Should Consider.

If you are thinking about getting into real estate in the long term, relying on luck or instinct is not the best option. Indeed, not everyone succeeds in this business and the risks are up to thousands or even millions of dollars.

By Xavier PRETERIT
Growing a Business

Here's How Steve Jobs Dealt With Negative Press and Avoided Brand Disasters

The best way to grow your bank account is to avoid major withdrawals. The same can be said about your brand.

By Jessica Wong
Growing a Business

24 Hours After a Grueling Session of Pickleball, He Invented Something That Makes Most People Better at the Addictive Sport

Veloz founder, president and CEO Mitch Junkins discusses the creation process behind his revolutionary paddle and shares his advice for other inventors hoping to make an overhead smash in their industry.

By Dan Bova
Business News

Why Chick-fil-A Employees Never Say 'You're Welcome'

A lesson in gratitude and communication for all employees and entrepreneurs.

By Gene Marks