How to Respond to Small Business Data Breaches
Big businesses with deep pockets seem to consistently make news for massive data and security breaches — it’s safe to assume that no small business is completely impervious from attacks. In fact, a recent study suggests over 40 percent of cyberattacks are targeted at small businesses.
Would you know what to do if your business were hacked? A different study found that 54 percent of small businesses don’t have a response plan in place for a cyberattack.1 Data breaches can be incredibly costly, time-consuming and damaging for small businesses.
When time is of the essence, it’s smart to be prepared for a potential cyberattack. If your small business suffers a data breach, here are five actions to take immediately.
1. File a Police Report
Notify your local law enforcement office of your business’s data breach immediately. Your data breach may involve sensitive personal details, such as names, phone numbers, account numbers, payment information, Social Security numbers and other identifiable data. The breach can potentially lead to more crimes, such as identity theft and fraud, so it’s important to act with urgency. You should always follow law enforcement’s lead — it’s important not to interfere with any official investigation. If you learn any new information in an internal review, notify your case’s lead contact of your findings.
2. Consult With Data Security Experts
Data breaches will vary widely in scale and severity. If you’re not a digital security expert, it’s strongly advisable to assemble a data breach response team to help you research the extent, mitigate the damage and execute reliable data security solutions.
Your course of action will depend upon the nature of the security breach. In general, you should work with your data security team to execute the following steps as soon as possible:
- Determine affected parties, accounts or businesses of the breach.
- Determine what information was stolen, altered or improperly posted. Search for any of your business’s exposed data. You may need to work with law enforcement to remove stolen information from any third-party website.
- Secure affected physical areas and hardware.
- Secure account credentials and passwords.
- Remove affected equipment or software from your network.
3. Prepare a Notification Letter
You may also need to consult with a legal expert to ensure compliance and reduce further risks. In general, you should notify any potentially affected parties of the data breach. This may include employees, customers, other businesses and/or third-parties. Coordinate with your local police contact to determine the appropriate timeline of the letter so you don’t impact an official investigation.
Be honest and clear about your findings, including the exact information that was stolen, steps you’re taking to remedy the situation and any further recommendations based on the specific situation.
It’s important not to disclose any sensitive information, such as details of the investigation or specifics that may further identify the data breach victims. You must also comply with state security breach laws and/or industry-specific rules, which may vary across the region(s) in which you operate. You may also want to consult with a legal professional for this matter. The FTC has prepared a sample letter that you can customize for your small business and specific situation.
4. Evaluate and Update Your Security Protocols
While data breaches are never desirable, they can help you eliminate security vulnerabilities and improve data management for the future. If you aren’t sure of the specifics of your data breach, consider consulting with a professional for more advanced data security management tips, strategies or software. While your security measures will depend on your specific type of business, some general data security best practices include:
- Use two- or multi-step authentication to prevent unauthorized access.
- Limit staff security permissions to a need-only basis. Consider all of your business’s digital and physical property.
- Learn to recognize and avoid phishing attacks.
- Use data encryption on your devices. Learn more about Windows 10 or Apple devices.
5. Develop or Update Your Data Breach Action Plan
In order to prevent further breaches, you may want to prepare a thorough security breach response plan, identify a response team and research your local laws regarding data breach regulations and best practices. Industry standards and laws may change over time, so aim to review your procedures every year or so. You should also periodically re-train your staff and promptly communicate any updates or important information.2
1Shepherd, M. (2019). 30 Surprising Small Business Cyber Security Statistics (2020)
2Federal Trade Commission. (2019). Data Breach Response: A Guide for Business