Has Your Business Data Been Breached? Here's What to Do
It's something every business hopes they can avoid - a data breach. But what happens if a data breach occurs? Small businesses are often less prepared to manage such an incident or unsure how to deal with it. As a small business owner, it's vital that you have a plan in place. If you don't and are facing a cyber security incident, please read the steps below and contact us if you need immediate advice.
Dealing With Data Breaches & Unauthorised Access - For Australian Small Business Owners
If you have just become aware that data has been leaked or accessed, we've put together some easy-to-follow steps to manage the response. Please note that every situation may have unique factors not addressed in this article, so it's important to seek your own advice to ensure you meet any specific legal requirements.
Here Is What To Do If Your Business Has A Data Breach
Step #1: Contain the Situation
If your IT team, service provider, client or employee brings a data leak or breach to your attention, you first need to work out how the data is being accessed or leaked - and stop it as quickly as possible.
It may be a one-off - for instance, a stolen laptop that can be easily wiped remotely. If a third party has accessed core databases, and the access method is still being investigated, it can take substantial time to resolve. Either way, it's vital to act rapidly to stop further data being accessed.
Here are some things you can do if you are faced with a possible data breach:
- Disconnect every device that may be affected from the internet
- Run scans on all devices and hardware
- Perform clean-ups as necessary
- Ensure your backups have not been affected
- Check all user access - remove access from any user who isn’t a trusted party
- Change account passwords to all existing accounts
- Ensure all security software is working and up to date
- Take any other necessary immediate security measures to protect your business and your data.
If you are unsure what needs to be done, it’s best to speak to someone who specialises in this area as soon as possible. Taking the right steps early on can save a lot of time and effort later on, and prevent a situation from escalating.
The Australian Cyber Security Centre has put together a comprehensive guide of what you can do if you have been hacked or affected by a cyber security incident. We also invite you to get in touch if you need immediate advice or assistance in responding to or resolving a data breach or unauthorised attempt to access your system.
Step #2: Collate Information
Put together a list of:
- What happened
- Actions taken, being taken and required
- Who is affected
- Next steps
Step #3: Communicate as per your cyber incident response policy
After you have received the correct legal and technology advice, you may need to start contacting affected individuals, stakeholders, staff members, customers and suppliers. It’s likely that at this stage, you still won’t clearly understand what has transpired.
Early communication can prevent affected individuals from becoming victims of identity theft, fraudulent activity or having unknown credit file applications made. Individuals affected will have more of an opportunity to report ID as stolen, monitor credit reports and ensure bank accounts and cards are safe.
Notifying individuals can be done by phone or email. It's important to take reasonable steps to inform anyone who may be involved if you are legally obligated to do so.
Step #4: Report
Depending on your industry, you may need to report the incident. If serious harm, fraudulent activity or identity theft has affected individuals, you'll need to contact any relevant law enforcement agency to report actual or likely risk that has occurred as a result of the data breach.
There is also varying legislation that covers handling personal information in Australia, including the Privacy Act of 1988 and specific guidelines for those who more frequently handle sensitive information.
You can report a Cyber Incident to the ACSC (Australian Cyber Security Centre) here.
If the data breach is defined as an eligible data breach under the OAIC's (Office of The Australian Information Commissioner's) Notifiable Data Breaches, you'll need to inform not only those affected but also the Office of the Australian Information Commissioner.
This reporting is mandatory for any business covered by the Privacy Act 1988. This is a newer guideline that affects Australian companies with an annual turnover of under $3 million - so please ensure that you seek advice or more guidance to see if this applies to you.
You should do this as soon as possible - within 48 hours of a breach occurring.
What Else Do I Need After A Small Business Data Breach Occurs?
Small business owners often feel at a loss about what to do after a data breach. It can leave you with extra work despite an already busy schedule. It may have caused serious harm to your reputation with customers, stakeholders or other affected individuals, which can take a lot of energy to manage.
Here are some extra steps to avoid further issues and mitigate potential harm caused by a data breach.
Step #5: Enlist additional help
By now, you've likely been in touch with your IT team or technology service provider, clients, stakeholders and anyone else you've needed to report to. If you haven't already, it may also be necessary to speak to a lawyer well-versed in cyber incidents affecting small businesses or a PR specialist to help you address any fall-out the data breach has caused.
Step #6: Review
Containing the breach would have given you valuable insights into any gaps in your security software, cyber plan and general management of your cyber security procedures. Initial remedial action has taken place - or is underway.
Now is the perfect time to review the situation and make any necessary changes or adjustments to help better prevent future data breaches or cyber attacks and better respond if an incident arises.
Step #7: Reach out to third parties if necessary
When you are aware of how your data breach has affected others, or is affecting others, it may be necessary to get in touch with affected individuals - whether it’s stakeholders, customers, suppliers or others whose information is involved.
How you go about this will be best guided by any legal and technology advice you have received, as well as your organisation’s internal communication policies around cyber security incidents. Developing a communication plan in conjunction with a PR specialist can also be a helpful way to approach the situation.
Customers or other parties who have their personal information involved in a data breach can sometimes feel angry or disappointed by the company they entrusted their information to, even if there wasn’t anything more that could be done to protect it.
Cyber attacks are no different from an on-premise break-in; they still can happen with even the best security measures in place. Demonstrating that you have taken necessary precautions can be helpful in reassuring third parties that your business does take the protection of personal information seriously.
Step #8: Recalibrate
The stress of dealing with a cyber incident can have many ramifications and leave business owners feeling vulnerable, angry or exhausted. Most small businesses don't have the resources or knowledge to handle everything themselves, and significant costs may have been incurred to address the incident.
If company data has gone missing, that could be used by competitors, or a staff member has accidentally or maliciously accessed data, knowing how to respond can be even more challenging. If the leak has caused further issues, such as identity theft or financial fraud. In that case, many small business owners can feel a sense of guilt or distress, even if they have done everything in their power to prevent access to business data.
It's important to ensure that after you have responded, you wholly assess your security plan and response plan. It's also important that, as a business owner, you take some time to recalibrate after a significant incident.
Triple Check Your Data Breach Response Plan
Whenever a business experiences a threat or a risk, information gained can be used to mitigate future risk levels. In this case, it's ensuring you have the proper security measures, excellent IT and cyber security support and a master plan if a cyber attack occurs.
You should already have a data breach response strategy in place, but now is a great time to thoroughly review it and see if you can streamline your system further and make it more efficient. For example, you can check how much data you actually need to have on file. Contact details? Banking details? ID?
One of the simplest methods of preventing access to data is holding less of it. If you must have access to this data, ensure you have done everything in your power to protect your customers and your business.
Review each aspect of your Data Breach Response Plan thoroughly, and determine if there are any further ways you can protect your business from cyber risk. This will give you peace of mind, even if you don't experience further issues.
How To Prevent Future Data Breaches
Hopefully, this is the first and last time you experience a breach. Unfortunately, cyber incidents are increasingly common, and many businesses have experienced multiple access attempts.
Preventing future breaches isn't foolproof - it's about following best practice guidelines and good advice and ensuring you have the right security measures to keep your system as safe as possible.
Continue to address weaknesses and restrict access to any susceptible data. Educate your staff - it's one of the best security controls you can put in place to prevent unauthorised access.
If you have been the target of a cyber incident and need immediate technology or cyber security support, please contact our team here.
We will ensure you have a clear idea of what you need to do if your business has had a data breach or experienced a cyber attack.
You can also download our 'Ultimate Guide to Cyber Security for Small Business Owners'. You'll get a free 10-point actionable checklist to implement to help you start protecting your business today.
Disclaimer: This is general information only. Please contact us for further guidance or seek independent legal advice that considers your unique personal situation before making any decisions based on the information in this communication.