It seems as though every few days we hear about another data breach or cyber-attack. Hackers do not limit their attacks to large enterprises with well-known names. They also take advantage of small companies that often have the most to lose. Since no business is immune from these threats, it is critical that your company has a strategy in place to help prevent these incidents before they happen and a formal plan to help remediate an attack after it has taken place.
How is your company organized to prevent attacks from happening? Is it solely the responsibility of your IT department? To implement a successful prevention and remediation strategy, it is critical that you develop a company-wide plan that involves key stakeholders across many departments.
So, what should your plan look like once a breach has taken place? Here are 5 key components:
1. Control the Attack
As soon as you discover that your network has been breached or your company has been a victim of a cyber-attack, you must dig in and uncover how the attack occurred, if the treat is still active, or if it has ended. Was the attack initiated through the internet? Did someone gain access to a database with an inadequate password or no password at all? Did an employee open an email attachment causing malware to spread across the company?
Taking a calm, methodical approach to uncovering how the threat was implemented will help to reduce fears among employees and insure that business can continue while the threat is being contained and the steps put in place to eliminate it.
2. Evaluate the Danger and Data Affected
As soon as the threat has been identified and controlled, evaluate the amount and scope of the damage. This will help you gage the next steps which should be put in place and the key personnel you will need to assemble to mitigate additional risks to your business. Here is a sampling of some of the answers you should uncover:
- Who or what was behind this breach?
- What types of data have been affected?
- Where was the data stored?
- What groups of people have been affected – employees, customers, others?
- How many people have been affected (what was the scope of the attack)?
- What kind of information was included – health information, financial records, etc.?
- When did the attack occur and for how long did it go on?
- Was the data backed up?
- Was the data encrypted?
3. Assemble Key Personnel
Before any breach takes place, you should have already selected a diverse group of staff members who will be your go-to team in the event of a data breach. They should be able to take control of the incident from every angle and be responsible for all aspects of the remediation plan. When an attack has been discovered, the team should be informed and assembled immediately in a conference room or via a video conferencing tool to learn the details of the threat and execute on their individual components of the plan.
This group might include the CIO, VP of Sales, Director of Customer Care, the CMO and anyone else you feel is appropriate. They will work with each of their teams and across departments to reduce the impact on the company and customers. They will also be responsible for communicating updates internally and externally on how the remediation process is going and providing information on how a similar breach will be prevented in the future.
Your communication plan should include three key components – communication to employees, communication to customers, and communication to the media.
• Communication to Employees:
You will have a number of technical and non-technical personnel working on the aftermath of this attack, assessing the situation and uncovering what has happened. Assumptions, rumors and inaccurate information can spread like wildfire across the company. Your internal employee communications plan may be directed by your company’s CEO or CMO and should strive to put employees at ease by keeping them updated on exactly what has happened, what you are doing to correct the situation, if any of their information has been affected and what policies and procedures are being put in place to prevent the attack from happening again.
It is also important to inform your employees that they may receive calls or emails from customers asking about the situation. Educate your employees on what they can say and what they should not say. You may want to provide your team with a brief statement that they can use but suggest that any additional questions should be forwarded to a more senior member of the staff such as the CEO, CMO, Vice President of Sales, etc.
In addition, reporters, bloggers and journalists often bypass the media wall which companies put up as soon as an attack has taken place and reach out to inexperienced sales people or technical support representatives who unwittingly answer reporters’ questions. They then find their comments spread across the internet. Be sure to inform all employees that if they receive a phone call or email from any member of the media, they should immediately turn that request for information over to the CMO, PR agency or other assigned spokesperson. This key contact will provide a company approved answer which is appropriate for public distribution.
• Communication to Customers:
It is critical to implement an incident response strategy which will address how you will communicate to your customers. You will absolutely need to reach out to them if you discover that their personal information has been compromised. But, what is your responsibility to keep them informed if their data has not been affected? As soon as word gets out that your company has been impacted by an attack, customers will call, asking for the details and wondering if their information is included. Will your company get out ahead of those calls, pro-actively letting them know what has occurred and that no customer data has been threatened? Other questions to consider are:
- How quickly will you send the first communication to customers and how will it be done – via email, an online landing page, a secure customer portal?
- In addition to the standard communication, will you call your largest or most important customers to personally discuss what has happened?
- Will you communicate to all customers or only those you believe to be affected?
- How frequently will additional updates be made available?
- What procedures have you put in place to mitigate any future the risk to your customers?
• Communication to the Media:
As we mentioned above, any hint that your company has suffered an attack will prompt members of the press to inquire about what has happened. You should be prepared for this and be ready with a vetted and approved answer which can be provided to them by your company’s spokesperson. Reporters know that they will most likely receive a “canned” statement so they may attempt to receive additional information by reaching out to other departments who are not experienced at speaking to the media. As previously stated, be sure to inform your employees that they should turn all press questions over to your spokesperson who has been approved to speak on your company’s behalf.
5. Prepare for a Breach Before It Occurs
In the case of a fire or natural disaster, we often wonder how first responders remain so calm and focused and can take control of the situation. Their answer is always, “We prepare for it. We train over and over again so that when an incident does happen, our training takes over and we immediately spring into action.”
Although a data breach does not have the same life or death implications, your company should train regularly to spot a potential threat, react appropriately to it and execute your plan to eliminate it. This could include ensuring that all equipment is secure, regularly implementing software updates and patches, educating employees on new cyber threats, and confirming that key members of your management team understand their roles and can immediately come together to execute on their responsibilities.
All companies, whether small businesses or large enterprises are at risk for a data breach or cyber-attack. In this electronic age, there is no longer a question of if a threat will occur but when it will occur. It is critical to remember that is it not just the responsibility of your IT department to implement preventative measures and remediation procedures. It is a company-wide responsibility with everyone doing their part.