“I’ve been hacked. Now what do I do?” Unfortunately, this is a question that too many small business owners and executives will be asking in the near future. The incidences of breaching security in order to obtain personal data, from addresses and phone numbers to credit card and social security numbers, is on the rise. CBS Moneywatch reports that 80 percent of U.S. Businesses had been successfully hacked as of June 2015. And it is not only large companies that serve the public that are vulnerable. The New York Times reports that 60 percent of all online attacks in 2014 targeted small and mid-size businesses.
One of the first things you will have to do is communicate with the people whose information has been accessed, and let them know you are doing everything you can to help protect them from identity theft. In addition to the steps you will take on their behalf, there are things they can do to help protect themselves. This includes:
- Offer credit monitoring services to your customers/clients/employees for free. There are many businesses that can set you up with this service for a year or more.
- Alert the people at risk to also aggressively monitor their credit on an annual basis. While this is what the credit monitoring services do, they can’t know the information as well as the person affected. Everyone is entitled to one free credit report per year, and it can be accessed through annualcreditreport.com. Other websites and companies offering free credit reports might have strings attached, such as charging fees after the first report.
- Advise victims to contact their bank, credit card and investment companies right away. They should ask what those organizations can do to lock down their accounts. They should also ask what policies the organization has for protection from fraudulent transactions. Most banks and some credit card companies offer this as a free service, but not all do. At some institutions the customer has to ask for it to be activated, or even has to pay for the service. Most personal major credit cards and debit cards offer zero liability (business cards often do not). The difference is that with a debit card, that money is just like cash, draining from your account immediately, which means you, the victim, go to make a purchase and find yourself declined. It also takes a few days to get the money back into your account. Savings accounts, investment accounts, equity lines, and other open credit accounts, may not offer zero liability. Victims need to understand each account’s agreements. Also let people affected know not to sign up for another credit monitoring solution through their financial institution, one is all that is needed.
- Provide education on security measures. All customers/clients/employees should review and possibly change security questions on file at financial institutions, social media sites or other services with secure log-ins, especially any security questions that could be guessed by the hacker from the information that was stolen. Also alert people they should be using two-factor authentication. This is where, in addition to a password, a person must also enter a PIN that is generated by an app on a smartphone or sent via text message. This adds an additional security measure to email, social media sites and financial accounts that is important in protecting information from future attacks.
- If the attack was on internal information, such as personnel files or other employee-related documents, be sure to give employees time off during business hours to take care of the phone calls and research needed. Realize it might be an hour here or there, rather than something that can be accomplished all in one day. You can also provide access to technical support and a place for other employees to share what they’ve learned that is beneficial to the situation.
- Direct those affected to websites and agencies that provide further information. IdentityTheft.gov has information about the necessary steps to take and what to do in different situations. The Federal Trade Commission also provides a wealth of information, including FAQs on credit freezes.
Coming clean about an attack is something no one really wants to do. It admits vulnerability, and many business owners and executives feel it damages their reputation. But realize most states require that victims be informed, and failure to do so can lead to legal trouble. State laws apply not only to the company, but wherever clients and employees live. If the breach affected more than 500 people, your state might require you to file a notice with the state attorney general’s office. You might also have other reporting requirements according to your industry. For example, health care agencies are required to alert a prominent media outlet to comply with HIPPA regulations.
In addition to following the law there are other benefits to open communication. First, by communicating with your employees or the clients and customers that were affected, you’re only helping build their trust and loyalty in your company and its services. Also, sharing information about the attack is critical to the cyber security industry, helping us stay ahead of hackers. You will want to be sure to alert local and federal authorities of the occurrence in order to get the information in the proper channels.
If you’re one of the lucky ones that hasn’t been hacked yet, consider conducting a cyber security risk assessment. This can help you prioritize spending for security measures, including insurance and contingency plans in case of a breach. To learn more about how to handle a cyber attack and how to prepare your company to be more cyber secure, call the team at Threat Sketch. Our experienced professionals can help you be prepared for whatever might come your way.
About the Author: Karen Alley is a freelance writer and editor and has worked for over 10 years writing web content and blogs for various businesses.