Businesses should plan ahead for cyberattacks

Recent news stories highlight just how much harm a cyberattack can cause to a business. In 2020, MGM Resorts, Zoom and Magellan Health all fell victim to cyberattacks. While these were multi-million dollar incidents, small businesses are also big targets.

A dog rescue group, a small toy company, and a two-location magazine store fell victim to cyberattacks in recent years.

Sometimes a cyber breach occurs because of a hole in network security. A business should regularly check its firewalls and security. Other times, a security breach happens due to a compromised email. The email may appear to come from a legitimate vendor but direct the employee to use a different link. When the employee clicks on the link, malware may be installed on the business’ network. Another way hackers infiltrate a business is through phishing. The criminal tries to get an employee to reveal confidential information, such as a bank account.

Even what might be considered a small breach can place valuable financial data, customer records, employee information and manufacturing facilities at risk. A single breach resulting in the loss of personal consumer information can initiate multimillion-dollar lawsuits or even class-action lawsuits and reputational harm.

In addition, a significant attack or breach may slow a business’ operations or cause it to cease entirely because of a loss of sales, the cost of rebuilding or paying government fines may be too much.

It’s not just monetary; company employees may fall victim to blackmail or extortion as a result of an attack. And there’s the added stress and time, as well as the need for internal and external resources that will be required to investigate and mitigate the breach.

Have an incident response plan ready

So, how can businesses mitigate the fallout related to a cyberattack? By ensuring an incident response plan is in place and that all employees are educated to understand the risks. An incident response plan is a set of instructions developed to assist a business in preparing, detecting, responding and recovering from a cyber incident. Though some businesses may be unaware, standards such as PCI-DSS (Payment Card Industry Data Security Standard) demand that security policies be in place and that a company’s employees be trained to understand their roles in protecting against data breaches and cardholder data theft.

Businesses can be directed to organizations, like the National Institute of Standards and Technology (NIST), that offer guidelines in responding to a cyber breach.

An incident response plan prepares a business for the unfortunate event of a security breach. Having a plan in place will outline who does what during an incident, including the roles of each member of the incident response team. It will also provide steps on how to contain the damage, the breach, and how to restore system integrity. There will also be instructions on how to document the incident and response for later review.

An example of an incident and its handling when cybersecurity insurance is involved follows:

• The breach occurs.
• The breach is discovered.
• If applicable, the area where the breach occurred is secured and physical equipment collected as evidence.
• The incident response team is notified and initiates the incident response plan.
• Senior management is informed of the breach and provided with as much detail surrounding the breach as possible.
• The incident is reported to the business’s cyber insurer. The insurer will connect the business to an incident response broker who will instruct it on the next steps, such as determining if the breach impacts state regulations or requires that law enforcement be involved. This may also include releasing a statement to the public describing the incident, damage and steps to containment.
• The incident is resolved according to direction from the incident response broker and the business’ incident response plan.

It is also beneficial to retain a lawyer as part of the incident response team to ensure that all communications to outside agencies, including the business’ cyber insurer, are protected by attorney-client privilege. This becomes important in the event of a future lawsuit brought against a business as a result of a data breach. The communication between a business’ retained lawyer and others related to the incident will be considered privileged information and usually cannot be used in subsequent court proceedings.

It should be noted that once the cyber insurer is involved, they will control certain aspects related to the incident. Since the insurer will likely cover claims for loss and damage related to a breach, it wants to ensure that the business responds appropriately and quickly to reduce damages. As a result, a business may not have the final say about how a specific cybersecurity incident is handled.

When a cyber incident happens, it’s imperative that a business quickly responds to contain the breach and mitigate any future damage. By educating employees and instituting an incident response plan, small businesses will be better prepared in the event of network security infiltration.

Perry Carpenter is the author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors. He is chief evangelist and security officer for KnowBe4, the world’s largest security awareness training and simulated phishing platform.

Related:

• Can a business forgo a cyber insurance policy?
• 3 steps for driving a strong cybersecurity culture
• Phishing: Watch out for these 6 tell-tale signs
• 5 steps to recovering from a ransomware attack