65,000 is a key number to SMEs. Not only does it represent the amount of UK small businesses which face cyber attacks every year, but data suggests £65,000 is also the average cost of each cyber attack to them.
The likes of Marriott, Facebook and Norsk Hydro have dominated the headlines after suffering attacks this year, but regular breaches on small businesses barely get reported. Yet recent research found that small businesses in the UK suffer an average of five cyber attacks a year, and their livelihoods, profits, reputation and employee wages rely on keeping their data secure and out of the wrong hands.
SMEs make up 99.9% of the private sector in the UK. With the larger companies in the spotlight and lack of awareness, it can be easy for SMEs to think that they aren’t big enough to be targeted, as hackers often go to where the big money is. This mindset is incredibly dangerous and naive. Hackers are using more and more sophisticated techniques to take advantage of smaller company vulnerabilities, as they are less likely to have stringent measures in place and just essential basic protection.
- Cyberattacks costing businesses millions each year
- Only half of businesses think they can defend themselves against cyberattacks
- Ransomware is the most significant cyber threat to SMBs
What steps do you need to take if you fall victim to one in the worst case scenario?
Before damage control happens, make sure that the hack does not cause more harm. Whether it is a data breach of sensitive information, a ransomware or a phishing attack, immediately lock down all accounts and issue a company-wide notice to change passwords on both personal and business accounts. If possible, consider deactivating your social media accounts, and hold back from updating your password manager until you have found out more - if the hacker is internal and has access you could be undoing all of your previous work.
Update the incident response team and bring them into the conversation on what to do next. Hire a specialist data protection professional to establish what has been taken if it’s not immediately clear. Include your legal officer, the directors of the company, and the press team, who will need to coordinate a strong message to those affected in accordance with laws and regulations.
Don’t make any further decisions until you have told the police. If you delay responding and acting on it for too long, you can easily make the incident and data loss worse, but if you make hasty decisions without thinking you can also cause further damage to the business.
It’s a serious offence to steal data, arguably the equivalent to robbing a bank. You’re damaging the crime scene if you start paying ransoms and trying to communicate with the hacker before telling the police and waiting for advice. Don’t delay doing this, and make sure all data is available to them.
The incident must be investigated and analysed by professionals before you take matters into your own hands. You should also make sure that you keep regular logs of CCTV footage in case the security breach started internally.
Inform your customers
This part is vital, because they are the bread and butter of your business and need to be kept fully in the loop. Breaches of customer data can cause alarm and trigger a chain reaction of crisis communications for days to come, but if you keep it secret, as Google did when Google+ exposed users personal details, it can cause huge repercussions and loss of trust when found out.
Prepare a statement that outlines what you know. If you do not know the current amount of data that has been lost, make sure that your customers know of as many details as possible, so that they can inform their banks and monitor unusual activity.
Damage control support
Investigating all of the facts surrounding the breach and the damage the digital infraction may have cost your business is difficult and time consuming, especially when you couple this with finding out exactly what data was lost and how to recuperate it. Hackers can do a brilliant job at covering their tracks so your reaction is delayed, strengthening their chances of long-term gain.
Organisations will often need to decide who will take the lead on the investigation, and make sure that any legal documents be submitted for further lines of enquiry. For smaller businesses, carrying out all of the above while trying to continue with business, as usual, is a challenging task, especially while maintaining communications with customers and employees.
Loss assessors can be a real boon to businesses when they are in this situation. If necessary, they can bring in specialist consultants such as forensic IT investigators, to fully ensure that they know the status of the data lost, how the breach has affected your business and the long-term ramifications such as company reputation management and how to recuperate the data. Often, the cost of the specialist consultant is also covered under the terms of the cyber policy too, which means they get the benefit of added expertise with no further cost.
When claiming through your insurers, it can be difficult to prove that the breach happened, as some of them leave very few traces. From hacking, viruses, malware and ‘denial of service’ issues, loss assessors can help to make sure that your claim is as strong as possible. Some companies also offer computer evidence recovery services which can help you with the complicated issue of evidence and help the authorities.
Review your cyber policy
Cyber losses are complex. Insurers are experts on property theft, but there is still a cloud of uncertainty over non-physical threats, which are the top threat to businesses. Business continuity is crucial to businesses, and if you lose money, you need to be able to claim that back, but there are still grey areas in the policies and waiting times for compensation can vary.
Almost every policy from different insurers to various business sectors is different, because there are so many different types of cyber loss. If you work in California you can insure yourself against the risk of wildfires, but cyber risks are not physical and can impact the global impact of the organisation, and also the companies reputation, especially if it handles sensitive data, which many do.
Unfortunately, many businesses are not fully covered. You need to use a fine tooth comb to go through your insurance and ensure that you pay very close attention to the wording of your policy, in case your claim could be invalidated by something that can be easily overlooked or scanned through.
Strengthen your defences
Once you have got through the attack and recuperated data and any losses, take stock of what you have learnt. While you are going through the process, log actions, which can later be implemented into an incident response plan.
Prevention is better than a cure, and you can acknowledge your company weaknesses which this has shown in your current processes and amend them appropriately. Perhaps you need to improve employee awareness, or install better security software. Use it as a learning curve, and follow these steps to minimise any further disruption, and ultimately lower than 65,000 number for good.
Alex Balcombe, Partner at Harris Balcombe
- Keep your systems protected with the best antivirus