A few years ago, I learned that a former client had vital information stolen from her business. This information included her customers’ data and payment information, as well as some sensitive information about her business finances and even employees. The data was posted to a file sharing site, and it didn’t take long to realize what happened. As a result, her business’ reputation was on the line, loyal and productive employees left, and her partners questioned her ability to lead the company.
Her reaction? She feared technology. She put off decisions. She didn’t listen to her IT staff – both internally and outside experts. The result? Not only was she still not secure, she wasn’t innovating. Nothing was done to improve the business either security-wise or consumer-wise. She didn’t want to do anything with IT out of fear of being compromised again, but she was actually losing her competitive advantage.
It probably doesn’t surprise anyone that within 3 months, she was removed as managing partner. About 3 months after that – the business closed its doors forever.
Unfortunately, this story is all too common. According to the U.S. Small Business Administration, statistics show that up to half of businesses that suffer a major disaster, such as a data breach will close within 12 months. Of course, by putting some basic security measures into place either before or after the breach, the likelihood of this happening would have been severely lessened.
Let’s look at some of the things that could have been done either immediately before or immediately after the compromise.
This business was a retail establishment that relied heavily upon Information Technology (IT). When that’s the case, your information assets are a vital resource. They are what make your business prosper, bring your people together, and hold them accountable to success. That means that you need to protect that information – otherwise you lose control over your business.
A few ways to do this include:
- Determine what your sensitive information assets are – what are the “crown jewels” of your business? Is it customer data? Proprietary product infomation?
- Limit access to sensitive information – make sure its in a safe place and only your most trusted associates can access it.
- Keep a backup – compromises happen, but that is just one type of disaster. You need to be able to recover your data if it is accidentally lost.
- Monitor for odd behavior – keep an eye out for indicators that something could be about to go wrong. There’s plenty of software that can help do this, and your organization’s IT experts can help you as well.
It’s fair to say that for as long as you use technology in your business, there’s a risk of a compromise or a disaster. Maybe it’ll be a random occurrence or maybe you’ll be targeted. The point is that you’re not immune.
In the case of my former customer, there was widespread thought that her business was immune. No thought was given to what the critical information was, what the threats were, and how to protect against them. So, when a user wanted to buy something from the website and was able to crack the administration password, nobody noticed that something was suspicious when the website went down. No software noticed that someone was accessing her sensitive files from a computer far away from her office. And there was no alarm when hundreds of sensitive records were accessed and downloaded.
Ideally, you’ll be aware of attempts to circumvent security long before anything actually happens. However, data breaches can happen, and the important first step to dealing with them is to take action. Not doing something immediately will result in severe consequences for your organization.
Some basic first steps include:
- Find the hole and plug it – you need to figure out how someone was able to gain access to your data,and immediately take action to make sure that no more data can be stolen.
- Notify your customers or stakeholders of the compromise – it might be ugly, but you need to tell others if their information was stolen so that they can take the proper action. For example, if credit card information was stolen, your customers need an opportunity to contact their bank and change their card number.
- Rebuild trust – it makes sense that your reputation will probably be damaged after a compromise. You’ll need to think about how to restore the positive reputation you previously had. How exactly you do that depends on your specific business – but it must be done.
- If applicable, involve the authorities – depending on the severity of your compromise, it might make sense to involve the applicable authorities, such as law enforcement.
What is the right balance?
Look, we know that investing in security costs money. The key is to determine the right amount of money to spend. Would a top-tier bank security system protect your home more than a normal home security system? Maybe, but that doesn’t make financial sense – the cost of the security system would probably be far greater than the cost of a burglar entering your house and stealing all of your prized possessions. The idea is to strike the right balance.
If you need someone to help you think through the threats, risks and costs, 7 River Systems can help. We’ll work with you to identify your most critical information and help you take the right steps to protect it. We’ll also make sure that the resources you invest in security is appropriate to your business. Visit our Contact page to get in touch with us.