SME survival guide: How to deal with a data breach
The Government says that almost half of all businesses reported a data beach or cyber-attack in the past year – a sobering statistic for any SME.
And what makes this even more worrying is the impact such an incident can have. If you suffer a breach, that means a hacker has access to your business data, which is a huge problem in itself. But the time spent fixing your systems, the damage to your reputation and potential loss of customers, will all create further issues.
So, if you suspect a breach has occurred, what should you do?
What has been affected?
Cyber-attacks come in many different forms, but the common theme is that they target vulnerabilities in your defences. Phishing ransomware attacks, for instance, are largely dependent on human error, as they rely on an unwitting email recipient or webpage visitor clicking or opening an infected file. Once downloaded, the malicious software lurking within enables the hacker to gain control of the device and lock its files, folders and applications until a set price has been paid to them.
This can take place within a matter of minutes, which is why it’s so important to recognise the different signs of a breach quickly and ensure appropriate processes are put into place.
The first thing is to find out what has been compromised. Is it sensitive or regulated information, such as intellectual property, personal data or bank details? Whose details are these? Staff, customers? This determines who should be notified.
Details on actions to take should be set out in any company’s cyber-security plan. This should illustrate key recovery objectives – how long can the business shut down while waiting for the restore to take place, and how many hours of business-critical data can the company afford to lose?
What should happen next?
Owners and managers of the business – and their lawyers – should be informed straight away. Depending on what has happened, another important action could be to report it to the police via the Action Fraud website.
If you think it’s a public cloud that has been hacked, you need to inform the cloud provider and under the General Data Protection Regulation (GDPR), data controllers will additionally be required to contact the ICO within 72 hours. You will need to notify anyone whose data has potentially been affected – with advice on any actions they must take – and consider other stakeholders who need to be informed too.
If a cloud is the problem, much of the infrastructure and evidence are in the hands of the provider rather than your business, so your strategy for dealing with the breach must reflect this. However, differing responsibilities can cause confusion. Usually providers manage the security of the cloud itself, but it is generally up to you to ensure that the applications and data you put there remain protected and secure.
When the dust has settled
So after the initial clean-up, what should happen next? A complete analysis of the breach is a good idea, so that you can learn from any mistakes made and implement measures that minimise or eliminate the risk of it happening again.
In addition, working out what you can do to improve security across the board is essential. Now is the time to introduce tools to identify vulnerabilities throughout your infrastructure and take steps to remove those weak spots. Whilst a company might survive one breach, a repeat could spell the end of your business.
The good news is that there are simple steps you can take to minimise this risk – and all businesses should assume they could fall victim to an attack at any time. Two things to do right now – as recommended by the Government’s Cyber Aware initiative – are to install the latest software and app updates and to use strong, separate passwords for your email.
The National Cyber Security Centre (NCSC) also publishes a complete guide for small businesses, with advice on improving security. Advice on how to train staff members is also available.
According to the NCSC, here are five key ways to protect your SME from a cyber-attack:
- Use a firewall to secure your internet connection
This acts as a buffer between your IT network and other external ones, allowing incoming traffic to be analysed before it is allowed onto your network.
- Pick the most secure settings for software and devices
Default configurations are often open, so check them and change them accordingly to make your software and devices more secure. One way to do this is to disable or remove any functions, accounts or services that you don’t need and add strong passwords. For accounts like banking and IT administration, two-factor authentication (2FA) – often involving a code sent to your phone to enter in conjunction with your password – is more secure than password-only.
- Limit who accesses your data and services
Employees should have access to the software, settings, online services and device connectivity functions that enable them to do their job, but no more. Extra permissions can be added when required and accounts with administrative privileges should only be used for the relevant tasks. For general work, use standard accounts.
- Protect your business from malware
Viruses are the most well-known form of malware, which is software or web content that has been designed to cause harm by infecting legitimate programmes. Opening a suspicious email, browsing a compromised website or opening an unknown file from removable storage media – such as a USB memory stick – can all allow malware into your systems. Use anti-virus software and only download apps from reputable sources, such as Google Play or the Apple App Store.
- Keep your devices and software up-to-date
Apply updates to your computer and devices when prompted – or even better, change settings to automatically update. As well as adding new features, these also fix any newly-discovered security vulnerabilities. When new updates cease to appear for your hardware or software, you should consider a modern replacement.
If you want to find out more about protecting your business against other potential cyber threats, contact us!