Gregory S. Nelson, a volunteer SCORE counselor in Naples, Fla. who advises small businesses on technology issues, had his own technology issue in recent months with an online purchase after buying some additional memory for his computer.
After making the purchase, he was notified by the online retailer it had been hacked exposing his purchasing information.
'They did all the right things. They sent me a letter telling me when it had occurred. They hired a credit watch company to watch over my account for a year and even sent me monthly updates to let me know if there had been any suspicious activity," Nelson says. "You know, you get annoyed when something like this happens. But at the end of the day, they did everything possible to correct it. Would I buy from them again? Yes, I would.'
What's the moral to the story? Experiencing a data breach isn't the kiss of death for a business. It's the immediate response in the aftermath that will make or break the company.
Develop an incident response plan
'Stop it, contain it, and control it,' says Ben Rothke, a senior security consultant from the security firm BT INS, outlining the first critical steps.
Rothke offers the following advice to patch up the leak and patch up any problems that may come as a result of the leak with customers or employees.
Data leaks happen to all types of organization. No size business – large or small -- is immune. A business owner can't assume it'll never happen to his or her company. Think 'when', not 'if,' and draw up an incident response plan before your business suffers a leak. If it's already too late, here are some steps to follow in the event of a data breach:
A data breach is more than an IT problem. It's a company wide crisis and needs to be handled that way. Whether they come from in-house or out-of-house, the IT professionals need to be supported in what they do and directed that fixing it is top priority. Since it is also a communications crisis, it needs to be handled like any other crisis management issue, involving public relations specialists and possibly media spokespeople. Finance and accounting need to assess the monetary damage, as well. Most importantly, those affected need to see leadership at the top step up and offer honest, public transparency about what's being done.
SIDEBAR: Other tips to get any business through a data leak
Call the cops! 'Get the ball rolling and file a police report, maybe even contact the FBI,' says Nelson. Nelson contends that's the first important step in establishing that the company is taking full responsibility for the problem with immediate action.
Lock down data where possible. Rothke recommends archiving data that is rarely accessed into a safer place. 'Data is increasingly portable. Establish some security controls to make it more difficult to move it around. Not every employee needs to have their USB ports enabled. Have them sign non-disclosure agreements and get trained in what kinds of data are especially sensitive,' says Rothke. An IT department can do a lot to secure data, but it won't help if an employee reveals too much by phone or email.
Limit access to the system. For some employees, it's best to limit the size of their e-mails. A 20 megabyte e-mail is quite large and filled with proprietary information can do a lot of damage getting out to the wrong person. Shut down the system at odd hours like the middle of the night or on the weekends for non-essential employees. Limit the size of outgoing e-mails, depending on the user's needs. While a graphics designer may need 20 megabytes to use on a single e-mail, chances are most employees who just shuffle around text documents all day don't need more than five megabytes for e-mail.