A data breach occurs when confidential information is stolen from an internal system without the authorisation of the system’s owner i.e. someone hacked into your systems and copied that information.

Many hackers target small and medium sized businesses rather than large companies because the smaller companies are likely to have less cyber security in place and hence hacking is easier.  This is not always true of course as it depends very much on each company.

You can understand why hackers would target financial companies and retailers liable to have credit card information for their customers but you might wonder about the value of hacking many small businesses.

Almost all business will have customer records – probably name, address, email address, phone number etc. and this is highly valuable as the hackers can sell this to scammers, identity thieves and others.

If a company is breached and the customers affected then the damage to the company’s reputation can be severe.  Customers who don’t trust a business aren’t going to stay with that business.

 

Consider These Steps Following a Data Breach

1. Investigate

You need to know:-

a.       How did the hackers break in

b.      When /how often did they have access

c.       What information did they take

d.      What else could they have had access to

e.      Have they left anything in the computer systems that could cause further problems e.g. created a back door to allow them entry in the future

and thoroughly.

This is likely to show some changes needed urgently and a series of changes to implement over the following days and weeks. 

The company may have lost some of its own financial information / confidential information but generally the biggest problem is with customer’s data. The most sensitive of this is usually financial – the customer’s credit card details along with logins and passwords. This information is clearly dangerous as it can be used by hackers to put those customers at risk of identity theft, financial theft and other scams.

Hackers can readily sell customers names, addresses, date of birth, email addresses and phone numbers.

Breaches can happen because of hackers getting in from outside of your systems, making use of systems vulnerabilities,  but in many cases the hackers got the information they need, either knowingly from an accomplice within the organisation or unwittingly from a member of staff giving out information without realising the dangers involved. This can be a simple as someone entering a competition that arrived by email or answering an innocent sounding caller with questions.

2. Inform Relevant People and Organisations

It is essential to tell everyone concerned about the problem as soon as possible. Delays only cause more problems.

You may need to tell

a.       Staff

b.      Customers

c.       Suppliers

d.      Partners

e.      The Press

f.        The Authorities

g.       Anyone else who could be affected

You may want to wait until you have full information before telling the outside world, but that can take time and you don’t want the fact of a data breach becoming public without your instruction. Tell people what you know up to that point and be clear where you don’t know the full details.

Do provide as much detail as is available and admit responsibility if relevant.

There may be a need to setup a helpline for customers and suppliers affected and there may be a case for compensation. 

3. Fix the Problems

The hackers got into your systems and stole information.  You need to do whatever it takes to protect that information in the future or remove it from your systems. If you are not confident you can protect the data then get rid of it and operate in a different manner e.g. outsource all customer financial information to a third party with greater security expertise.

You may need to make changes in these areas

a.       Technology infrastructure

b.      The  types of information that is stored

c.       Security procedures and processes

d.      Staff education

e.      Suppliers, partners and anyone else affected

f.        The level of in-house security expertise or access to external experts

 If your business learns from such a data breach, then you may come out of the situation in better shape.

Do you have an opinion on this matter? Please comment in the box below.