Hacked! What to do Next…

Posted by Jim Van on December 3, 2011 under business continuity, data security, disaster recovery, security | Read the First Comment

It happens. Despite all the due diligence, a solid security policy, regular updates to your security software, your business gets hacked. Congratulations! You’re now part of an estimated 62,000 strong group of businesses worldwide that have been hacked in 2011 alone, according to the Computer Security Institute, a non-profit industry watchdog group that follows such things.

So, now that we’ve established that, what are the next steps you should take? The first few minutes can make all the difference….

Let’s cover the response step-by-step:

1. Breathe. If you put aside your panic and follow these steps, you and your business will survive. Read the first paragraph above. You’re far from being alone. And, given the number and volume to data breaches these days, the public has become far more understanding when it’s obvious that the company isn’t at fault, and is communicating the steps they are taking to remedy the breach.
2. Understand what happened and how. Is the data still compromised? What data was compromised? By Whom? How? It’s important to understand what happened, and how it will impact customers, vendors, employees and your business.
3. Call in the security pros. It’s the single most important step you can take to assist with item 1 above, and to ensure that the breach has indeed been plugged. Face it, unless you ARE a security company, you’re most likely in over your head. If you don’t have one on speed-dial, add one now. There are many of us out there…
4. Call the cops. They won’t have the resources necessary to really investigate a breach, but get it on the record. A crime’s been committed. If you’re going to involve insurance, defend liability claims (heaven forbid!) and the like, you need to make this incident official. If you really do need to bring in law enforcement, the Secret Service (believe it or not) is the federal agency that is charged with investigating data breaches. Oh…and make sure the breach isn’t still open. It never ceases to amaze me the number of times we respond to a data breach, find the company humming along in its response to the breach, but the breach is still open.
5. Chain of Custody: there’s probably going to be legal ramifications resulting from this breach. Sorry…but this is America, and everybody sues everybody over everything. Why would this be different? You probably won’t get sued, but you do need to be dressed up and ready to go, and establishing a chain of custody, even after the data’s been breached, shows an appropriate response (ok..it’s like shutting the barn door after the cow’s escaped, but it’s appropriate).
6. Contact Counsel: Did we mention lawyers yet? Contact your company lawyer? Don’t have one? Get a recommendation, and do it now. You need to develop a strategy, including communications. Do so WITH a lawyer’s guidance.
7. Communicate: Again, do this AFTER you’ve consulted your attorney. Communication is perhaps the most critical element in your company’s response. It can significantly decrease the damage from the data breach, and the ensuing legal action that might be taken by those affected. And most important: it’s the morally right thing to do. Communicate often. Let people know what steps your company is taking to minimize the impact to them. By the way, almost every state has laws that state when your company needs to notify victims of a data breach. And, of course, each state has different rules. Your lawyer will know how to handle this.
8. See above. Those affected are probably going to expect the worst. They’re going to have to contact credit card companies, credit bureaus, and other appropriate agencies to protect themselves against loss, and are going to feel very victimized. Most will realize that it’s probably not your company’s fault, but they are going to look very closely at how you respond to the breach, and how you respond to them. Counsel will probably tell you not to apologize, which is true. But being apologetic and actually apologizing are two separate things. Do the former. And keep the communications open. An offer to allow those affected to check their credit records at no cost is very appropriate, and taken up by only a small percentage of those affected. Offer similar assistance. It goes a long way.

EVen though it may not feel like it at the time, being hacked is not the death knell for your company, nor is it likely that you’ll be sued into the ground, if you respond properly. While it’s unfortunate that intrusions occur more frequently than ever, it’s really because there are more small businesses with online presences than ever, providing cyber-criminals with more opportunities than ever. Establishing a strong company security policy, and enforcing it, will go a long way to prevent such attacks, and the ensuing anxiety and expense, from occurring.