One of the big dangers to any small business is the threat of a data breach. Not only is a breach costly as far as the immediate remediation, but those costs can also follow companies for years later. Many never make it 6 months after a breach. According to IBM Security’s Cost of a Data Breach Report, the average cost of a data breach to a company is $3.9 million. And those costs, which include things like remediation, increased data security, and lost business due to lost customer trust, are spread out over years.
- 67% of data breach costs occur in the first year
- 22% of data breach costs occur in the second year
- 11% of data breach costs occur after the second year
Managed IT security is a way that many small businesses avoid suffering a costly data breach, but some companies try to handle their data security on their own, which can leave them vulnerable. The average cost of each file compromised in a data breach is $150.00 Preventing a breach through good IT security practices is what every small business strives for, but what happens if you’ve discovered a breach has happened? What then? The positive message is that proper preparation and fast response to a data breach can help to reduce those average costs mentioned above and mitigate the overall impact to your business.
What Should I Do If My Company Has Had a Data Breach?
Every minute counts when you’re responding to a breach of your network, so being prepared is key. According to the IBM report, companies that are prepared in advance by forming an incident response team can reduce the cost of a data breach by an average of $360,000. While no one wants to be the company mentioned in the news as the latest data breach victim, how you handle the breach can keep customers from jumping ship and reduce your losses. Here are the key steps to take when you discover a data breach at your business.
Secure Your Technology Infrastructure
Unfortunately, most breaches aren’t found out until months after they occur, but it’s still important to immediately secure your devices, applications, and networks as soon as possible after you discover you’ve had a breach. You need to secure all company information whether in the cloud or on premises and that can include steps such as:
- Changing all login passwords to company applications
- Fortifying login security through multi-factor authentication
- Moving databases that contain sensitive information to another location
- Securing your company website and web server
- Scanning all computers, mobile devices, and servers for malware
- Putting tools in place to monitor all entry and exit points to your network
- If a virus on a specific computer was responsible, taking the device out of use
Identify and Fix the Vulnerability
It may take some IT forensics work to track down the exact vulnerability that allowed the breach. We work with so many interconnected systems these days that it could be anything from a phishing email attachment to an unsecure website plugin. Some of the common causes of data breaches are:
- Weak or stolen passwords
- Application vulnerabilities
- Unpatched operating systems and software
- Malware and viruses
- Human error
- Malicious insiders
It’s good to get the help of a trusted IT expert to find the exact cause of the data breach, which is vital for addressing the vulnerability so it can’t happen again. An important part of this step is identifying exactly what information was breached (customer addresses, credit card numbers, etc..) and exactly which individuals or companies may have had their information compromised.
Make Appropriate Data Breach Notifications
Singapore’s Personal Data Protection Act requires that businesses make timely notifications to parties whose personal information has been exposed. While in the past this was more of a request, recently, the Singapore Personal Data Protection Commission (PDPC) has proposed mandatory guidelines for breach notification. Their notification guidelines follow what they call “The 5 points of notification” which offer details on who you need to notify and when. Here are guidelines to notification timelines: How long do you have to carry out the data breach assessment?
- Within 30 days of first becoming aware of the breach
When do organisations need to notify PDPC and the affected individuals?
- If the breach is likely to results in “significant harm or impact”
- If the breach involves the data of 500 or more individuals
Who do organisations need to notify?
- The PDPC
- Affected individuals, or their parents or guardians
How soon should you contact the PDPC of a data breach?
- As soon as practicable and no later than 72 hours
How soon should you contact the impacted individuals?
- As soon as practicable
Beyond avoiding fines for non-compliance, reporting data breaches in a timely manner, along with the steps your company has taken to mitigate risk and help protect personal data going forward, will help you preserve customer trust in the wake of a data breach.
Update Your Data Breach Response Plan
Going through a data breach will inform your data breach response policies in the future. Is there an area that you found wasn’t fully addressed in your policy manual? Did you find that some instructions in the policy are outdated? You want to incorporate any updates to your data breach response plan as soon as possible after your data breach so the details are fresh in your minds.
Protect Your Small Business from a Damaging Data Breach
Data breaches can be particularly devastating to small businesses. The best prevention is proactive managed IT security that keeps a watchful eye on your technology infrastructure 24/7. Contact Managed IT Asia today for a security assessment and get help protecting your business data. Call us at +65 6748 8776 or request help online.
MANAGED IT ASIA, we are an IT Support, IT Solutioning and Managed IT Service Provider specializing in serving Small Businesses across Asia. Call us at +65 6748 8776 and let us manage your Small Business IT today!