Recovering from a Security Breach Recovering from a Security Breach

While the majority of your small business cybersecurity preparations will understandably focus on preventing a breach, it’s also important to spend time planning an effective response if your network or data is compromised.

A hacker can breach your systems despite your best efforts, so it’s important to plan a response before an attack occurs. Much like business continuity planning if you’re hit with a natural disaster, a cybersecurity response plan takes away a lot of the panicked guesswork and scrambling that can hinder your ability to cover your business operations quickly and easily.

If an attack occurs, you have two short-term goals: getting the business operating again and restoring normal functions as smoothly as possible.

Understand the Risk

A good early step in planning a cybersecurity breach response plan is working with your IT team, whether it’s internal or provided as a service, to think about various scenarios and how you’ll react. If, for instance, your data is locked and held for ransom, will you pay the hackers? How much? Can you recover data without paying? These are the types of options that are easier to evaluate ahead of time so you’ll know how to react if you’re compromised.

It’s also critical to plan the first steps you’ll take to help mitigate the damage of any attack. Depending on whether the attack is ongoing, this may mean disconnecting your network from the Internet to stop the bleeding. If data or a laptop is missing, you may be able to use a more cautious step of changing everyone’s passwords rather than shutting down Internet access for everyone.

A Strong Plan

Another critical step in an effective response plan is creating a team that defines roles so everyone knows what should be happening and who should be taking those steps. That will likely include your IT team or provider, your HR team or office manager, whoever handles your public relations and social media outreach, legal counsel, your insurance broker and potentially other team members.

You’ll want to work with the team to develop a checklist spelling out not only the technology-related steps that need to take place, but also how you’ll communicate during or immediately after a breach.

For instance, as you’re bringing in the IT resources to address the attack, you’ll want to notify your other team members so they’ll how what’s going on and how to respond. Similarly, you’ll want to alert suppliers and customers, as well as to meet any notification requirements your state may have.

If you have cyber liability insurance, it’s also important to notify your agent, broker or carrier to begin the claims process and to enlist any support that your policy may offer.

The Recovery Phase

Another critical step in your response plan is determining how you’ll recover from an online security breach. If a cloud service account is compromised, for instance, recovery may be as simple as changing passwords.

To reduce the risk of data stored on an internal server being lost, you should be backing that data up to a cloud provider on a consistent basis – preferably daily. But beyond merely running a cloud backup, it’s important to test that backup periodically to make sure it’s running properly, and that you know how to recover data if you need to. If you have a configuration error in your backup, you clearly need to address that before any data is lost.

Once you have a response plan in place, it’s important to review and update it at least annually. Team members and providers can change over time, and you want to make sure your people, providers and contact information are current to reduce scrambling when you need that information the most.