Plan Ahead: How to Handle a Website Security Data Breach
The Sony Hack. The breach of the Democratic National Committee’s databases and servers. When we hear about data breaches on the news, they’re typically massive operations affecting major companies. But while it might be tempting to assume that, as a small business owner, you’re too small of a fish to fry, you shouldn’t be so certain.
The Identity Theft Resource Center (ITRC) reports that “U.S. companies and government agencies suffered a record 1,093 data breaches last year, a 40 percent increase from 2015.” This doesn’t just involve multinationals. Small businesses like yours are also vulnerable – especially when you consider that experts like the ITRC’s CEO Eva Casey Velasquez believe that breaches often go undiscovered and unreported.
IBM/Ponemon’s 2016 Cost of Data Breach Study suggests that the average cost of a data breach is $7.1 million for a U.S. company and $4 million for a global company, with the bulk of this impact coming in the form of lost business. Yet, despite the fact that data breaches are growing in number and scale – and although the costs of these incidents can be substantial – few companies are planning ahead to combat them proactively.
Why You Need a Data Breach Response Plan
Imagine two scenarios…
Customers find out before you do.
In this first scenario, you become aware of a data breach because a customer reports something fishy to you. Being a business owner – not an IT specialist – you aren’t sure where to begin. You reach out to your payment processor, your merchant account, and even your second cousin who does something vaguely computer-related for work – basically, anyone you think might be able to help you understand what’s happening.
While you’re scrambling to put together a response plan, the damage has either already been done or is continuing to be done if you aren’t able to identify the mechanism of the breach. Customer trust is being lost. If word gets out that your client data has been made vulnerable, you’re at risk of the kind of bad press that leads to lost business – if your company is even able to stay afloat.
Admittedly, that’s a bit of a doomsday scenario. But contrast the difference between the situation described above and this one…
You are alerted before customers are impacted.
Knowing how common data breaches are becoming, you’ve taken steps ahead of time to install third-party monitoring tools, connect with forensic IT specialists and develop a proactive communications plan. If a breach does occur, you’re alerted right away, and the contacts you’ve made mean you know who to turn to for help resolving the issue and understanding its full impact.
Now, when you go to your customers with the messages you’ve crafted ahead of time, you’re able to share with them exactly what’s happened, what steps you’ve taken to protect their data and what they need to do on their end to stay safe. Yes, you may still lose some business, but you’ll gain the respect of others for your prepared, proactive approach.
How to Build a Data Breach Response Plan
Clearly, of the two scenarios described above, the latter is the better option for your company. Yet, despite these obvious benefits, Ernst & Young’s 2015 Global Information Security Survey reports that “only 43% of respondents said they had a formal incident response program, while only 7% stated that they had a comprehensive plan that included third-party vendors, law enforcement and tabletop exercises.”
Your plan may not need to be as sophisticated as this, but you should make sure all of the following elements are covered:
- Data breach awareness – How will you know if a breach has occurred?
- Data breach forensics – How will you determine what the breach has affected and how to fix it?
- Data breach communications – How will you communicate what has happened and what needs to be done? Which stakeholders need to be notified?
Data Breach Awareness
You can’t respond to a breach until you’ve determined that one took place. Remaining aware of potential and existing threats requires two things: implementing proper monitoring tools and regularly checking the status of your systems, installations and tools.
Depending on the scale and scope of your organization and its IT needs, threat monitoring may involve:
- Using a firewall
- Enforcing access controls on your router(s)
- Running host-based or network intrusion detection systems (IDSs) to look for malicious traffic
- Running the Microsoft Baseline Security Analyzer
- Using chkrootkit to check for local signs of compromise
- Installing a third-party threat detection tool
The type of tools and processes that are appropriate for your company may depend on the type of data you store (though, as a best practice, you shouldn’t be storing any personal information you don’t absolutely need in order to minimize the risk to your customer).
An IT security consultant or firm can help you determine both the monitoring tools that are best suited to your needs, as well as any ongoing monitoring and security practices that will minimize potential risks. Be sure your consultant helps you understand the warning signs that a data breach has occurred so that you know when to respond.
Data Breach Forensics
If a breach has occurred, your top priority should be ensuring your systems are out of danger. Michael Fimin, CEO and Co-Founder of Netwrix, shares that:
“It is vital to identify the compromised system in the shortest possible time and fix the data leak to prevent future attacks. For instant troubleshooting, you might need to enable auditing solution that will provide before and after values on who changed what, when and where across the entire IT infrastructure, thus simplifying root-cause analysis.”
Again, you may need the help of a third-party IT provider to make these judgements. Once assessed, you’ll use the results of your analysis to determine who needs to be notified, what corrective actions must be taken and what vulnerabilities need to be responded to in the future.
Data Breach Communications
The final aspect of your data breach incident response plan involves communication, specifically:
- Notifying any necessary authorities of your incident
- Informing internal stakeholders about the issue
- Sharing details of the breach with the public
Any IT security consultant you work with should be able to help you determine what your communication obligations are, as well as suggest recommended steps that should be shared with the public following a breach. Developing template communications ahead of time that can be deployed in the event of an incident can save time and prevent the mistakes that occur due to rushing.
You may also find that it’s appropriate to bring on legal assistance at this stage. Johnny Lee, Managing Director, Forensic, Investigative & Dispute Services of Grant Thornton LLP, suggests:
“For me, the most important first step would be to engage qualified outside counsel to guide the response efforts. The reason for this is that, at least in most cases within the United States, it is possible to protect the actions and communications of a breach response with the attorney-client privilege (and its related work product doctrine).”
Depending on your state, industry, company organization and data breach impact, you may be required to report the breach to local, state or federal authorities. Legal counsel can help you understand any specific obligations you’ll face.
Ultimately, one of the most important things you can include in your external communications is a sincere apology. Admitting that you’ve made a mistake is never fun, but until you acknowledge that you’ve put your customers’ identities at risk and demonstrate that you’ve taken the steps to make it right, you’ll never be able to rebuilt trust with your clients or with the public at large.
Think Safety from the Start
Certainly, no discussion of planning for future data breaches would be complete without also mentioning the importance of protecting your website and data from the start. Preventing data breaches from happening in the first place lowers the risk that you’ll ever have to deploy the response plan you’ve so carefully crafted.
Make it a point to collect only the sensitive data that you need. Make sure that your systems are up-to-date on updates and that any web host or SaaS provider you use online takes the proper steps to protect your information. You may not be able to prevent a data breach with 100% certainty, but you can make yourself less of a target for those who go after the security world’s low-hanging fruit.
Do you have a data breach incident response plan in place? If so, share any other suggestions you have on what should be included by leaving us a comment below: