Small Business Data Breach in 2018? Here’s What You Should Do

Small businesses owners who don’t think that they’ll likely be victims of cybercrime are in for a rude awakening. In April of 2017, it was revealed that cyberattacks had successfully targeted over 14 million small businesses in the previous 12 months. In fact, USA Today cites the Verizon Data Breach Investigation Report when they state that 61 percent of total breaches last year hit small businesses, up from 53 percent the year before. Furthermore, UPS Capital presents these numbers:

  • Cyberattacks cost small businesses between $84,000 and $148,000.
  • 60 percent of small businesses go out of business within six months of an attack.
  • 90 percent of small business don’t use any data protection at all for company and customer information.

To avoid being one of these entities — one that incorrectly assumes they’ll never get hit and fails to protect themselves, ending up paying exorbitant amounts and eventually going out of businesses — check out these tips for small businesses hit by data breaches in 2018.

Keeping Customer Data Safe By Adhering to Standards

As a small business that utilizes customer data, it’s your responsibility to protect that data to the utmost. As such, global security standards have been established that are designed to minimize risk of a breach. eSignLive cites “adhering to cloud security standards” as one of the top ways to keep customer data safe in today’s digital world.

These security standards include HIPAA, SOC 2, FedRAMP, and PCI-DSS compliance, among others. Both you and your cloud services provider are required to adhere to some of these standards, depending on the industry that you’re in, and it’s your own responsibility to get familiar with the stipulations included in your specific industry’s standards — for example, pretty much all of these standards require that you inform customers of the breach via written notice, as well as that you file a notice of breach to your state attorney general.

If you want to protect your customer’s data, you need to make sure you’re not running afoul of these standards, including whatever post-breach notifications and instructions are required of you.

Identify Source, Protect Yourself Against Your Own Employees

After an attack, you’ll want to identify where the attack came from and how it was executed. Unfortunately, most of today’s attacks occur because of human ignorance. No doubt, there has to be an attacker in the first place — but if all users were educated and followed standard IT security protocol, a large majority of today’s successful attacks would not actually be “successful”.

Phishing emails, for example, are on the rise, both for small businesses and private individuals. Eva Velasquez, writing for Firm of the Future, gives this advice:

“…cybercriminals… will often begin to send out emails en masse, posing as your financial institution and asking for your personally identifying information (PII). Even those who would otherwise be leery of a phishing email may do a quick Google search to see if their bank had suffered from the attack and may find one of the many stories making headlines. The scammers know that these stories will help convince consumers that their financial institution has suffered from a breach, and they will, therefore, be more likely to go ahead with the process. If you get an email that looks like it is from your financial institution, pick up a phone and call them. Be sure that you use the number from the back of one of your cards rather than any number in the email, as that may already have been run by the scammers as well.”

Imagine that your mother or father received one of these emails, and ask yourself: “Would they fall for it?” Would your friends? Other family members? If the answer is yes, cyber criminals are targeting those people directly. They’re employees, they’re users of the internet, they’re holders of personally identifying data, and they’re everywhere.

How to Respond to an Attack

According to the FTC, there are a couple of smart, sound steps you can take to respond to data breach:

  • Secure your operations: This includes assembling a team of data forensics and legal experts to conduct a comprehensive breach response, as well as securing physical areas potentially related to the breach. Take affected equipment offline immediately, but also make sure not to destroy evidence.
  • Fix your vulnerabilities: The FCC recommends checking network segmentation, working with forensics experts to get the whole story, and making sure you have a communications plan.
  • Notify appropriate parties: As mentioned before, this could be different depending on what type of security compliance you’re bound by, as well as what state and country you’re in. Start by determining your own legal requirements, and then by notifying appropriate law enforcement if necessary. After that, it comes down to notifying affected businesses and individuals, and providing guidance on how they can either recover or further protect their own information.

If small business owners adopt the above prevention and response techniques, successful data breaches will drop dramatically. Unfortunately, attackers are relentless, and too many small business owners are complacent. Don’t be one of these easy marks — and if you’ve already been hit, don’t be one again. It’s on you to protect your business and yourself from attack. Rise up to the occasion.