Experts now say it’s not a question of if a hacker will breach your data, but when. According to a survey by Nationwide Insurance, 63% of small-business owners admit they’ve been attacked. Yet, astonishingly, 79% of them do not have an incident response plan for when it happens again.
Why might that be? After all, most respondents without an incident response plan (73%) said they are concerned that a cyber attack could impact their business. Yet almost half (46%) believe their security software will protect them.
Unfortunately, this isn’t true. True, best-of-breed firewalls, virus and malware detection programs, and other security measures are very good at what they do. But they can’t outwit all of today’s cyber criminals. Given sufficient time and resources, a determined hacker can get past sophisticated defenses. Just ask Target, Home Depot and other large enterprises that spent millions of dollars trying to keep hackers out – and spectacularly failed.
What you need: an incident response plan that lays out exactly what you will do in case of a data breach. This will help you minimize the damage that such breaches can wreak on your business.
What Is an Incident Response Plan?
An incident response plan is a step-by-step list of formal instructions – written down so everyone can be on the same page – on what you will do when your data has been stolen, exposed or held hostage until you pay a hefty ransom fee, an increasingly common ploy by hackers.
Those instructions should include specifying who is in charge of the breech response, as well as assigning specific duties to specific people. For example, you’ll want to specify who’s in charge of containing and fixing the breach; who will notify the people – the employees or customers – whose data has been stolen; who will instruct employees to change their passwords and so on. Given that most SMBs don’t have security or IT experts on staff to help in times of crisis, it’s a good idea to have a third-party expert firm “on call” for such events. You may want to vet and engage such a firm ahead of time rather than scrambling to find one when attacked. This may affect your budgets, but in the end it’s one of the best solutions SMBs can leverage.
A number of organizations have published guidelines on creating incident response plans that are suitable for SMBs, including the following:
- The National Institute of Standards and Technology (NIST): Computer Security Incident Handling Guide
- U.S. Chamber of Commerce: Internet Security Essentials for Small Business
- FDIC Incident Response Program Supervisory Insights
- FCC Small Biz Cyber Planner 2.0
Components of an Incident Response Plan
An incident response plan has three major steps:
Detection and analysis – Begin documenting everything as soon as you believe you have been attacked.
- Investigate and gather whatever evidence you have that you have been compromised. For example, multiple customers complain that their bank information has been stolen, or – more likely – your firm gets contacted by a law enforcement agency that there has been a breach of sensitive customer data.
- Report the incident to the appropriate staff whom you have designated as your incident response team so they can assume their designated roles.
- Make sure that you have put a high-level, trusted executive in place to manage the operation. He or she does not necessarily have to have in-depth technical expertise.
Containment, eradication and recovery – Contain and remove the attackers from your environment.
- This requires you to identify and fix all the vulnerabilities that were exploited. Perhaps you forgot to patch your Web server with the latest operating system updates? Or an employee was phished and her password stolen? You need to address those issues.
- Perhaps you have multiple machines or servers contaminated with malware. You have to clean those systems and remove the malware. Then you have to return all your systems to regular operation as soon as possible.
- If sensitive data has been stolen or exposed, you have to notify the appropriate parties as well as regulatory agencies. You may even have to deal with the press, if they hear about it, so be sure to include a crisis-response team to answer any customer, vendor or press questions. This can be a single person, or it can include people from various departments, like marketing (social or PR) to the finance department to answer billing and invoice questions.
As you can see there are many steps involved in solving the problem once you’ve identified it. This is where you may need the help of a third-party expert. Security experts deal with issues like these on a regular basis and they’re the ones who will be able to get your business back up and running as quickly as possible. At the end of the day your investment in this area will go towards making your business productive again, and ensuring that a similar breach will be less likely to affect you in the future.
Post-incident recovery – It is mandatory that you hold a lessons-learned meeting of all stakeholders and create a follow-up report on what went wrong and how you fixed it. It might even be helpful for all employees to hear a recap of the issue, especially if they were unwittingly part of the breach.
Give Yourself Peace of Mind
Data breaches at SMBs are becoming more common, and are extraordinarily costly. Not only do you have the actual dollar costs of containing and remediating the breach – usually involving hiring third-party experts – but you can experience damage to your reputation, lose customers and be forced to pay hefty penalties if the breach has broken any industry, state or federal regulations. Being prepared can help you minimize these costs, and give you peace of mind.