A data breach is every business owner’s nightmare. Should hackers gain access to your customers’ or employees’ sensitive data, the very reputation of your company could be compromised. And lawsuits might soon follow.
No business owner wants to think about such a crisis, yet it’s imperative that you do. Suffering a data breach without an emergency disaster recovery plan leaves you vulnerable. The vulnerability is not only to the damage of the attack itself, but also the potential fallout from your own panicked decisions.
A comprehensive plan generally follows five steps once a data breach occurs:
He or she should be able to advise you on the potential legal ramifications of the incident. Your attorney should also advise on what to do or not do (or say) in response. Involve your attorney in the creation of your response plan, so all this won’t come out of the blue.
Contact us for help identifying a forensic investigator that you can turn to in the event of a data breach. The preliminary goal will be to answer two fundamental questions: How were the systems breached? What data did the hackers access? Once these questions have been answered, experts can evaluate the extent of the damage.
While investigative and response procedures are underway, you need to proactively launch an IT project to prevent another breach and strengthen controls. Doing so will obviously involve changing passwords, but you may also need to add firewalls, create deeper layers of user authentication or restrict some employees from certain systems.
No matter the size of the company, the communications goal following a data breach is essentially the same: Provide accurate information about the incident in a reasonably timely manner that preserves the trust of customers, employees, investors, creditors and other stakeholders.
Note that “in a reasonably timely manner” doesn’t mean “immediately.” Often, it’s best to acknowledge an incident occurred but hold off on a detailed statement until you know precisely what happened and can reassure those affected that you’re taking specific measures to control the damage.
You may want to initiate an early warning system against future breaches by setting up a credit monitoring service and engaging an IT consultant to periodically check your systems for unauthorized or suspicious activity. Of course, you don’t have to wait for a breach to do these things, but you could increase their intensity or frequency following an incident.
Data breaches are an inevitable risk of running a business in today’s networked, technology-driven world. Should this nightmare become a reality, a well-conceived emergency response plan can preserve your company’s goodwill and minimize the negative impact on profitability. Our Milwaukee bookkeeping firm can help you budget for such a plan and establish internal controls to prevent and detect fraud related to (and not related to) data breaches.