Is Your Business Prepared for a Data Breach?

Cyber threats to small businesses are on the rise. In 2021, 45% of small businesses suffered from a data breach. To make matters worse, 23% of breaches are due to human error. In other words, hackers often get a hold of sensitive information due to an accident on the part of an individual. For example, in 2010, a software engineer at Apple left a prototype iPhone at a bar. Within a few hours, the specs were all over the web.

But most threats are going for something far more valuable than a phone prototype — customer and employee personal data. Credit card numbers, social security numbers, names, addresses, and trade secrets are all up for grabs.

In 2021, 45% of small businesses suffered from a data breach.

While technology has made dramatic advances, so has cybercrime. Having a strong password that helps protect data is no longer enough. Successful data security strategies require a more proactive approach.

To really understand how small businesses can better protect themselves from a breach, we have to begin by looking at what a data breach really is.

What exactly is a data breach?

To put it simply, a data breach is an event in which sensitive identifiable information is shared or viewed without permission. These breaches normally occur when there is a weakness in an organization’s current technology or through human error.

Some common causes of data breaches are:

• Unintentional insider: In this case, an individual accidentally leaks protected information to the public. This may be due to insufficient security policies or technology, as well as just human error.
• Lost or stolen items: In this case, devices such as unencrypted smartphones and laptops, or files with personal information, go missing.
• Malicious hacking: A malicious actor might seek to obtain information either as an insider or as an outsider. As an insider, they may have the proper authorization for the files but plan to use or share them inappropriately. An outsider, meanwhile, will need to find a way to access private information and share it.

When it comes to the first of causes, it’s possible to plan policy around human error and theft. Security cameras, rules about device usage at the office, and mandatory encryption for all devices are some steps that can prevent lost items and leaks.

However, when it comes to outside threats, things can get tricky. This is because many hackers choose to target individuals rather than companies themselves. As a result, organizations need to ensure that their employees understand potential social engineering attacks that rely not on brute force but psychology.

5 types of intentional data breaches

Hackers are more creative than ever.  It can be helpful to educate employees on common outside threats.  In particular, you will want to cover:

1. Ransomware

When an employee receives a message that their computer has been hacked and they will need to pay a fee to fix it, they are victims of a ransomware attack. In some cases, the perpetrator may actually have access to important data and will threaten to delete them. Victims usually end up giving the hacker access by accident, either through clicking on a compromised email attachment or link. This link will then download and install the program.

2. Malware

As a type of virus that will wipe data from your devices, malware is particularly harmful to companies. Not only can it remove client lists and personal data, but malware can cause life-threatening damage introduced into a hospital or government system.

3. Keylogging

Some hackers use a type of malware that records your keystrokes. Basically, anything you type will be transmitted back to the hackers. In a keylogging attack, all types of sensitive data are vulnerable. This includes passwords, credit card numbers, social security numbers, customer information, and trade secrets.

4. Phishing

Put simply, phishing is when a hacker creates a copy of a website or app that looks genuine. For example, someone might send you an email, claiming to be from Yahoo and tell you that your account has been compromised. To fix the problem, the email will prompt you to log in with a link or button. When you click on the link in the email and sign into what you think is your account, you are actually giving the criminals your login credentials.

5. Distributed Denial-of-Service (DDoS)

This type of attack makes it impossible for workers to sign into their company systems. It effectively forces the company to shut down until the problem is fixed.

When explaining these concepts, it’s important to stress that being aware of suspicious activity will not only protect the company but also the employees themselves. Fraud and identity theft are two of the main reasons criminals steal data. Personal information, including personal health information, sells well on the dark web, and misuse can be difficult to trace.

The risk of identity theft is a particular stressor for employees and clients alike. The out-of-pocket cost for rectifying identity theft is $1.7 billion worldwide. And since the pandemic started, the threat has only increased. Cybercrime is reportedly up by 600% since 2020.

How to prevent data breaches

There are many steps companies can take to prevent data breaches, from choosing secure payment partners to ensuring their network is completely private.

However, the biggest factor is employee training.

Employees need to know how to handle sensitive data within the workspace. Having clear guidelines will help prevent unintentional data leaks, but also lessen the risk of outside actors.

Most types of malware and ransomware are installed by clicking a link or email attachment. For remote workplaces, this can be a hazard, since coworkers regularly share information, interesting articles, and other links or attachments on company channels.

In this kind of environment, you can deploy remote security policies in addition to warning employees not to click on unknown links. Some ideas include:

• Having a work-only computer or device
• Asking employees to submit documents via a trusted file-sharing system, such as DropBox or Google Drive
• Enforcing 2-factor authorization on all devices
• Ensuring each employee has a company-based email address with additional security features
• Keeping antivirus software installed on all company devices
• Using high-grade encryption for personal information and other sensitive data
• Informing employees to limit sensitive information they send to third-party vendors, especially over email

Tools and resources for a secure work environment

Creating a secure workplace requires more than updated policies and anti-virus software. And each business has its own requirements. For example, if you directly deal with payments, you will need to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS) protocols. Healthcare providers, meanwhile, should ensure that their policies and technology follow HIPAA guidelines.

But most businesses will require the same basic protection tools:

• Firewall: This core service monitors all traffic in your organization’s network and prevents intrusions from potentially dangerous hackers. While firewalls aren’t perfect and can be tricked, they essentially remove lower-level threats.
• Antivirus Software: An up-to-date antivirus software will scan links and attachments for potential malware and viruses.
• Public key infrastructure (PKI) Services: As higher-grade security offering PKI services ensure that you are using secure versions of public sites and enhance your internal security measures. For example, PKI services can help you enable multi-factor authentication on company devices, submit compliant digital signatures, encrypt emails, and protect code.
• Detection and Penetration Testing: There are additional services that will regularly scan your networks for potential threats or test your systems to ensure your security measures are working correctly.

Keep in mind that every touchpoint in your system could become a vulnerability. This includes third-party vendors. If you are working with contractors, consider adding them to your network through company emails and other protected software. For other providers that you may outsource to, such as payment processors, ask how they protect client and consumer data.

What to do if you’re compromised

So what happens if you discover a data breach?

First, it’s important to note that most data breaches aren’t immediately detected. On average, it takes about 228 days for businesses to realize they have a problem. This is critical because the first thing you’ll need is to find out what information has been compromised and for how long. If you invested in detection services, your provider should have logs that will reveal the extent of the breach.

It takes businesses 228 days on average to discover they’ve suffered a data breach.

Once you have confirmed the breach, you’ll want to have your IT team jump into action. Ideally, you’ll want to save copies of the breached area for legal documentation and then get to work fixing the issue.

You’ll want to ask all employees to change their passwords. If a specific employee account was used for the attack, you’ll want to lock that account.

Once your IT team has fixed the issue, test the new system to ensure that the affected area is truly safe.

Finally, you’ll want to inform the authorities and affected customers. You will want to be as specific as possible. Tell your customers:

1. What information was compromised
2. How long it was compromised for
3. What caused the issue
4. How you fixed it
5. More steps users can take to ensure their data is secure

Be transparent

While recovering from a data breach will cause a drop in consumer confidence, not being transparent is even worse.

While recovering from a data breach will cause a drop in consumer confidence, not being transparent is even worse. If possible, consider setting up a helpline to support customers who may be affected. Depending on the information that was deleted or stolen, customers or employees may need to tell their bank or credit card issuer, their insurance company, or review their personal transactions for signs of identity theft.

When you announce a data breach, you’ll want to send out a press release. But when it comes to informing employees and customers, you can be more flexible. We’ve drafted 2 templates to get you started.

Data breach notification template for employees

Hi [Name],

Unfortunately, we have some critical information to announce about a recent data breach and our data security measures moving forward.

From [Date] to [Date], our system suffered a data breach caused by a piece of malware. This malware has been traced back to a link shared in an email. As a result, customer passwords and login information were leaked.

We have taken steps to remove the malware and notify customers. Please be aware that the malware originated from an email was about [X] and such emails should not be opened in the future.

Email phishing is a common practice to get information. If any provider emails you and demands you login to their portal, please go directly to the provider’s website as listed in our handbook. Do not click on the link.

We will be having additional security training on [Date] to inform everyone of our security policies.

Please let us know if you have any questions.

Best,

[Manager]

Data breach notification template for customers

Hi [Name],

Unfortunately, we at [Company Name] have recently suffered a data breach and your information may have been affected.

From [Date] to [Date], our system suffered a data breach caused by a piece of malware. This malware has been traced back to a link shared in an email. As a result, customer passwords and login information were leaked.

We have taken steps to remove the malware and update our security standards.

We highly recommend that you change your password for your account, and for any account that uses the same password. You can learn more about our security practices and protecting your account in our guide here: [link]

Please let us know if you have any questions.

Best,

[Company Name/CEO]