In the click of an unsuspecting email link, your entire company could be exposed. Unprepared and easier-to-breach small businesses are increasingly growing as targets for cyberattacks. If you are a victim of hacking, it’s easy to feel vulnerable and overwhelmed with what to do next. You’ll have to act quickly to clean up the damage, but not all is lost.
When, How, and Who to Notify
You will soon be legally required to inform clients or customers whose information could have been breached as soon as possible. If you are unsure of the legal recourse or what legal steps you have to take, call your lawyer and have them consult. Even if you don’t have all of the answers, you should send out written communication that tells customers when the attack occurred and what type of information could have been included, such as credit card numbers and other personal information. Be humble and apologetic. Give them contact information so they can ask questions, let them know that their security is your primary concern, and tell them you are working on a quick resolution and will be in touch with next steps. You could even use a prewritten template.
Immediate Security Measures
First, you need to find out how the hackers accessed your information and what information they could have. You can hire a security consultant (which can be a little expensive), but you could first try contacting your internet and website hosting providers to see if they can help. Notify Canadian credit and identity reporting agencies Equifax (1-866-779-6440) and TransUnion (1-877-525-3823) about the breach, and they can help you with what you need to do about the breach for your own accounts and how to help your customers and clients. The agencies provide a compromise number that you can supply to your customers and clients that they should use in communication with the agencies. They should contact the agencies to set up alerts on their own accounts in some situations. It might be wise to inform the government and police about the attack in case there are related attacks at other small businesses in your province.
Incident Response Plan
Once you have the initial measures taken care of, you should draft an incident response plan that you use to address remaining concerns and how to protect your customers in the future. This could include a trust and transparency plan for gaining back your customers’ and clients’ trust after the breach, working with a security consulting business to identify and correct weaknesses within your system, getting security insurance for your business, and implementing a security training for your staff. Make sure you write and revisit a security plan yearly. Keep customers updated on the steps you are taking and plan to take in the future. Rebuilding might be a slow process, but being transparent and protecting yourself are the best way to move toward a secure future.