In this time where cyber attacks are happening one after another and cybercriminals becoming more confident, skilled and aggressive, businesses need to have a contingency and response plan when they become a target of a cyber attack.
Studies show that cybercriminals are targeting small businesses more frequently with cyber fraud affecting one in eight small business each year with a growing trend markedly seen in the past 18 months.
According to the nonprofit Identity Theft Resource Center, there were 662 organizations that publicly disclosed data breaches – a figure that includes real-world theft and accidents as well as cyber intrusions. And the actual number is likely much higher than that, since not all hacking incidents get disclosed.
The Federation of Small Business in UK reported 41% of small firms were hit by cybercrime in 2013, with one in ten falling victim to online fraud and one in five affected by a computer virus. And what’s more alarming is that 82% believe they are not a target for attack because they are too small or do not have anything worth stealing, even though they have embraced technology and use computers to store and process vital business data.
Most firms do not believe they will be hit by a cyber attack, despite 68% having internet-connected computers and half allowing mobile and remote working. “Cyber criminals are increasingly targeting smaller, poorly protected firms as an easy stepping stone to larger firms in the supply chain,” said David Emm, senior security researcher at Kaspersky Lab.
What to do when your data has been breached
So your data has been breached. While it might set your company back financially, remember it doesn’t have to be a crippling experience. Depending on how your company handles a security breach, it won’t have a long-lasting impact. Lori Nugent, a lawyer at Wilson Elser Moskowitz Edelman & Dicker LLP who specializes in breach cases, says that the public is forgiving when it’s apparent that the company is doing the right thing. In fact, if a company is on top of the technological problems and communicates well, it can build loyalty among its customers.
There are critical steps that need to be done immediately after a breach that determines how the public will react to you handling the situation. Remember, response and timing are everything after a security breach.
1. Keep your machines running.
The instinctive response when one finds out he has been hacked is to turn off his computer. According to security experts, while disconnecting from the Internet must be done to prevent a malware or virus from spreading, turning off your computers might erase some valuable leads in tracking who and where the attacks came from. So keep your computers powered up.
2. Ask for professional help.
Now is the time to call in the big guns – get the tech, security and legal experts. Ask help for IT security professionals to mitigate the attack, protect your system and prevent further attacks, notify the police and call your lawyers.
Filing a police report is necessary to claim for insurance. Your lawyer would be the best person to handle this.
3. Keep track of the clean-up.
After the attack, be mindful that you are not only trying to control the damages of a security breach, you are also planning for the consequences – financial losses ands legal battles (you may get sued). At this stage, your job is mostly to sit back and let the pros do a thorough search of your systems. Basically, IT experts need to determine what information was stolen or lost, where in the system were attackers able to get in (so they can fortify it) and if possible, trace the hackers. Make sure that the breach has been wiped clean and your system is secured better this time.
The need to be cyber streetsmart
A study by security firm Kaspersky Lab has revealed that a third of micro businesses in the UK would not know what to do if they suffered a data breach. The survey of 250 micro firms with up to ten employees also revealed that 40% would struggle to recover all data lost and 25% admitted they would not be able to recover any data. Securing the business data is essential for small businesses as they make up a micro system for a larger economy.
Alex Grant, managing director of fraud prevention at Barclays said that fraud can happen to any type of business in many different ways, impacting their revenue, reputation and the long-term health of the business, with no business being too small to be targeted. This is why the most important investment a business can make is to take the time to identify where they may be at risk from fraud and reduce those risks where possible to stay in control.
According to Peter Wenham, director of information assurance consultancy Trusted Management, any company that has no IT security expertise should consider outsourcing IT security management. Specialist firms in this area are able to ensure client companies have appropriate policies, procedures and operational guidance in place. Such firms can also offer overall security management of IT environments, including the undertaking of security reviews and audits and security awareness training for company staff.