Responding to a Data Breach Nightmare

It’s every business owner’s nightmare. Hackers gain access to your customers’ or employees’ personal information, putting your hard-earned good reputation at risk and raising the specter of a possible lawsuit. To make matters worse, many cyber criminals request hefty ransoms for you to get your information back. Once the ransom is paid, there is no saying who still has access to your private information, or if another cyber attack will happen again. 

No business owner wants to think about such a crisis, yet it’s imperative you do. Suffering a data breach without an emergency incident response plan (ir plan) leaves you vulnerable to the damage of the attack itself plus the potential fallout from your own panicked decisions.

While the below can be used as a roadmap to address a suspected cyber security breach, it is wise (and in some states, required) to have a more detailed “Incident Response Plan” as part of a Written Information Security Program (WISP).

7 steps to take if you fall victim

1. Call your IT Support company

Let them know it's emergency level. Also inform them on what you did and that you need them to secure your system immediately. This includes locking out the hacker, terminating his or her session, changing passwords to the accessed system and others where you use the same password.

Care should be taken to preserve log files at this point. Ask them to determine what has changed since you first noticed the attack. Write down dates and times of the events you noticed.

2. Engage a Cyber Forensics Investigator

Contact Whittlesey Technology for help identifying a cyber forensic investigator that you can turn to in the event of a data breach. Most IT support companies will not have this ability in house. 

The preliminary goal will be to answer three fundamental questions: How were the systems breached? What data did the hackers access? Was any personal information accessed, which would result in a reporting requirement being triggered? Once these questions have been answered, experts can evaluate the extent of the damage.

3. Call your insurance company

If the investigator determines the incident to be a breach or a probable breach, you need to call your insurance company. Inform them of the facts and ask them if you can use your own local privacy attorney and cyber forensic investigator or if you must use theirs to determine the extent of the breach.

Finding out if your insurance allows you to choose your own lawyer and investigator is another step you can take ahead of an incident. If they require you to use a lawyer and investigator of their choosing, forming relationships before an incident can make things easier after an incident is detected

4. Schedule a conference call

You will need to speak with your privacy attorney, the cyber investigator, and your IT support person that helped with the incident initially. The attorney will guide you through the next steps including advising you on your legal responsibilities and what you should do or not do (or say) in response to the incident.

5. Fortify your IT systems

While investigative and response procedures are underway, you need to work proactively to prevent another breach and strengthen controls. Doing so can involve training staff on recognizing cyber threats and phishing emails, strengthening passwords, and having your network and security program examined by a professional.

6. Communicate strategically

No matter the size of the company, the communications goal following a data breach is essentially the same. The goal is to provide accurate information about the incident in a reasonably timely manner that preserves the trust of customers, employees, investors, creditors, and other stakeholders. Note that “in a reasonably timely manner” doesn’t mean “immediately.” 

Often, it’s best to hold off on a detailed statement until you know precisely what happened. It’s good to acknowledge that an incident occurred, and reassure those affected that you’re taking specific measures to control the damage. Most importantly, you want to prevent it from ever happening again.

7. Activate or adjust credit and IT monitoring services

You may want to initiate an early warning system against future breaches by engaging an IT Security consultant to check your systems periodically for unauthorized or suspicious activity. Of course, you don’t have to wait for a breach to do these things (it’s better if you take these steps before an incident can occur).

Inevitable risk

Data breaches are an inevitable risk of running a business in today’s networked, technology-driven world. Should this nightmare become a reality, a well-conceived incident response plan can preserve your company’s goodwill and minimize any impact on profitability. Following such a plan can even prevent an incident from becoming a “legal breach.” Whittlesey Technology can help you design a simple and effective plan as well as be at the ready when you need us the most.