Even when we take all the precautions we can, incidents can still happen. Being prepared to respond in a thoughtful and comprehensive manner will reduce risks to your business and send a positive signal to your customers and employees. Therefore, planning for a response is critical.
A data breach where information is lost can also come with some legal obligations in your state depending on the state(s) in which you operate and the size of the data loss. In some industries, such as healthcare you may subject to other laws and regulations regarding data loss.
It is likely that any data breach or cyber incident will require participation from a number of your key employees, consultants or vendors including legal, public relations/communications and IT.
The good news is preparing to respond to a cyber incident is in not unlike preparing for other events that could impact your business like natural or manmade disasters. Building your cyber incident response can tap your other operational knowledge and experience.
You will need to be ready to:
- Resolve the problem (e.g., fix your network, restore data)
- Identify what’s been lost and who has been impacted
- Continue operations while problems are fixed
- Communicate with stakeholders (e.g., customers, employees and perhaps the general public)
- Comply with applicable laws and reporting
- Report to appropriate agencies
Resolve the Problem
In many cases, you will know that an incident has taken place before you know how it happened. You may find out that records have been lost or that your systems are no longer working. One of your first efforts will be to resolve the initial problem and make sure that the systems or issues are fixed so the hack no longer continues.
Identify What Has Been Lost
You can’t fully evaluate what to do until you know what’s been lost and the impact of that loss. You have broad reaching concerns about what the impact will be overtime. However, addressing immediate needs should be the first priority. For example, if cybercriminals have stolen money from a company bank account, notifying the bank, changing credentials (e.g., passwords) and reviewing the accounts for other losses may be the first order of business. Being thorough is important. It is not uncommon to think you know what’s been lost only to find later that more information has been lost and the number of people impacted is greater than first estimated.
Ideally, you want to respond a cyber incident by mitigating the impact on your ability to keep the business up and running. That’s why planning is so important. You need to understand how you would access some key information if your systems were down. Based on your business type, some of these could apply:
- Order taking
- Customer and employee communication
- Electronic or other payments
- Inventory tracking
- Dispatching employees to jobs and track progress
- Customer data allowing you to service their needs
- Appointment calendars
How you communicate after a cyber incident will leave a lasting impression. Do a good job, and people will remember. Do a bad job, and people will REALLY remember. How, when and what to communicate is done on a case-by-case basis. Some companies have waited until they know everything they can, and others have chosen to begin notifying people immediately. A lot will depend on who is impacted and how it might change their interaction with your business. For example, if your online ordering is down and you need to switch to a call system that will need to be communicated that ASAP. Alternatively, if you want to be able to reach current and former customers who may be impacted and provide as much information as possible about what happened and how you will be helping them, you might need a bit of time.
Decisions about communications should be made with PR/communications and legal expertise to ensure your messaging is appropriate and what you say complies with any legal requirements.
In consultation with your legal advisors, IT and communications teams, you will want to decide if and to whom you will report a cyber incident. Many businesses do routinely report events to law enforcement for a few reasons: if you were attacked it’s likely others may be subject to the same attack and information from yours might help prevent others and/or evidence from your attack could help the investigation and prosecution of cybercriminals. Federal law enforcement–the FBI and Secret Service (financial crimes) along with other agencies gather incident reports. Check out this guide for agency contacts and to ensure you report to the appropriate agency.
- Guide to Cyber Incident Reporting: A Unified Message for Reporting to the Federal Government
- File a Complaint with Internet Crime Complaint Center (IC3)
Comply with Applicable Laws
Nearly every state has a data breach notification law. Note that the law relating to your business is the one in the state where your customer resides not your business home.
You should discuss requirements based on the state(s) you operate in with legal counsel in advance of a breach or incident. Before a breach, know your responsibilities, the time frames under which you need to act and what you might need in place, such as mailed notifications or credit monitoring services for customers.
NIST Cybersecurity Framework Steps