The sad truth is that most folks wouldn’t know what to do after a data breach. But the good news is that you could do something to minimize its impact on your business.
Data breaches are more common than you think. Adobe once had a data breach that compromised 38 million user accounts. More recently, software company SolarWinds found itself in hot water after cybercriminals exploited their products which could affect the operations of U.S. departments and offices, including the White House.
If you find yourself in a similar situation, these are the steps you should take to control the situation.
Launch an Investigation
First, you need to determine if there is indeed a data breach. And if it is the case, find out the extent of the damage.
1. Confirm the Data Breach
A data breach happens when a cybercriminal infiltrates your system in person or remotely by hacking your system online.
When you’re alerted to a data breach, the first thing to do is verify if there’s been an attack.
You’ll need the help of your information technology (IT) department for this. If an employee caused the breach, you should cut off their access to the system immediately. If it was done online, ask your IT department to find the hacker’s entry point and shut it down.
There are situations when the hacker will email you or someone from your team after the attack. You mustn’t click any of the links in the email as this could worsen the situation.
2. See What Was Stolen
If there is a breach, ask your IT guys to investigate what data was stolen from you.
A cybercriminal can extract all sorts of data from you. It’ll depend on what industry you’re in. A cloud storage provider, for example, can hold media content that puts your customers in a compromised position.
You can imagine what kind of data they can gather from a banking institution.
But the most sensitive type of data they can get is what’s usually referred to as personally identifiable information, or PII. These refer to data that can identify a person. These can include social security numbers, login identification, social media accounts, geolocation data and user images.
In the wrong hands, this information could be sold online or used to create fake identities. That’s why they’re so valuable.
If the stolen data includes health information, see if you’re covered by the Federal Trade Commission’s (FTC) Health Breach Notification Rule. It explains who you should notify and when it should be done.
List down every type of data stolen. You’ll need it when you report the breach to your customers and the authority.
3. Find the Source of the Breach
Qualified IT professionals will know how to identify the source of the breach. If the team keeps track of your server activity, some signs will help you identify where and when the attack happened.
For example, if there’s an IP address you don’t recognize that’s showing in your network. That could be a source. Or if you see applications that run automatically when your computers boot up, that could also be the root of the problem.
It can even boil down to human error.
Whatever the case, find the cause of the breach and shut it down as soon as you can.
Secure Your System
After confirming the breach, take these steps to secure your resources.
4. Back Up the Breached Server
Companies should habitually back up their data. But it’s even more important when responding to a data breach.
Before applying patches, make sure that you save a copy of the affected server. This will come in handy for future investigations done by you or by law enforcement agencies.
5. Form a Security Team
To be clear, you should have a security team even before you get attacked. And there should be a protocol in place for such an occasion.
But if you don’t, now would be the time to form a team.
Their primary role should be fixing the data breach and testing the security fix to make sure that it’s stable and running. You could later expand this team to include individuals who could explain to your marketing and customer service teams what happened and how to explain it to your customers.
This is crucial as these teams will be responsible for easing the minds of the affected users. They also will face the brunt of the consumers so it’s only fair that they have all the information available to them.
Microsoft has suggestions on how you might want to structure your security team.
Contact the Affected Users
When you’re ready, start the process of informing the affected users about the data breach. Do note that this should happen as soon as possible.
It’s worth mentioning that there are laws that dictate who you should notify in the event of a data breach. You should look into your state laws and see what the parameters are.
Also, it’s wise if you designate someone in your company to handle all communications. Or if you’re going to use a public relations (PR) company, have your designated employee work with them closely. Everyone needs to be on the same page at all times.
6. Reach Out to Concerned Parties
Explain to your customers what happened, what data was stolen, and what you’ve done to address the problem.
Transparency is the key.
Don’t downplay the incident. Instead, reassure your customers that everything’s been done to prevent similar incidents from happening in the future.
Of course, don’t forget to apologize for the data breach.
If your company doesn’t have the experience of handling scenarios like data breaches, it isn’t a bad idea to hire a PR firm to handle both the announcement and the fallout.
When your customers’ reactions get out of control, it’s best to let the PR agency handle the response. Don’t respond while you’re emotional as it could lead to saying something that you’ll regret later on.
7. Tell Customers What They Need to Do
When customers first hear of the data breach, they’ll want to know if there’s anything they need to do to keep their information safe.
Explain to them in simple terms what they need to do.
When data breaches happen, the first step is often changing passwords. But depending on how bad the attack was, you might want to recommend that they keep an eye out for suspicious credit or debit card activities.
8. Provide Contact Information
Give your customers all the contact information they’ll need if they want to learn more about the data breach.
You can designate a hotline for anyone who’d like to call you with security concerns. Setting up a designated email also helps.
You can consolidate all of this information by setting up a webpage that summarizes the data breach and lets people know how they can get in touch with you.
Perform Clean-Up Operations
Just because you’ve patched the data breach and all customers are informed doesn’t mean the job is done. There’s more to do.
9. Report the Breach to Authorities
You want to report the incident to authorities. They can help catch whoever hacked your company and give you recommendations on how to update your security.
The FTC suggests that you report the data breach to local law enforcement. And if law enforcement can’t handle investigating information compromises, that’s when you should contact the local office of the Federal Bureau of Investigation or the U.S. Secret Service.
If the breach involves mail theft, you should get in touch with the U.S. Postal Inspection Service.
10. Consult With Legal Counsel
Your legal counsel can explain what steps you could take next. Laws concerning data breaches differ from state to federal levels. Having a team of experts by your side can help you with any question you might have about how you can protect your company further.
11. Seek Help From Concerned Businesses
It’s possible to leak data that you have no control over. An example would be information from credit-rating firms such as Equifax, Experian and Transunion. You should contact these companies if the cybercriminals took Social Security numbers with them. These bureaus can tell you how you should proceed.
You also should also notify the credit-rating firms if you’re recommending your customers to request fraud alerts and credit freezes.
12. Perform Penetration Testing
You can hire companies to conduct penetration testing for your company. Penetration testing is having a team play the role of hackers to find vulnerabilities that cybercriminals could exploit.
By simulating a data breach, you’ll learn what steps you could take to prevent attacks and ease the mind of your clients, partners, and customers.
You also can perform penetration testing on mobile apps.
13. Conduct Employee Training
It’s a good idea to train your employees on how to avoid hacks even when there’s no data breach. The good news is that even those with basic computer knowledge can help prevent data theft.
You can start by telling employees to always lock their desktop and laptop units. They should also stop leaving sensitive work materials unattended. If they’re throwing away paperwork, they must shred them before disposal.
Before leaving work, secure all laptops in locked desks. It isn’t enough that the computer is off before going home.
They can also get into the habit of encrypting data, especially on portable storage.
If the company can afford 2-factor authentication services, it should do so. This adds a layer of protection when a user logs into an account. For example, you might receive a security code on your phone when logging into your email account.
That means even if a hacker knows your login information, they can’t get in without knowing the code on your phone.
As a bonus, if you receive a code on your phone and you’re not trying to log into your account, you know someone is trying to force their way in and you can alert your IT department.