The U.S. National Cyber Security Alliance found that 60% of small businesses closed their doors within six months of an attack. That’s a shocking statistic, but it makes sense. Huge enterprises like Equifax, Capital One, and Yahoo! have the resources to weather the storm. Small and midsize businesses (SMBs) often do not.
The major reason is likely the sheer cost of dealing with the situation: the Ponemon Institute has found that small businesses end up paying an average of $690,000 in the aftermath of a data breach or cyber-attack, and midsize companies end up paying over $1 million. Many SMBs lack the capital to accommodate such an expense, especially if the reputational damage leads to fewer customers. There is also the risk of reduced productivity as employees deal with the crisis rather than their normal work.
And unfortunately, such attacks on businesses are increasing dramatically. CSO Online reports that “cyber incidents targeting businesses nearly doubled” from 2016 to 2017. Worse, according to the Bank of America Spring 2019 Small Business Owner Report, small businesses lag in preparations for cyberattacks: 20% have taken no steps to secure data, and only a quarter have implemented any kind of third-party security management program. That just increases the risk of a negative cyber event even more.
So, how should small businesses respond to a cyber-attack or data breach in order to maximize their chances of surviving the event?
First, stop the attack and assess damage.
Before anything else, businesses need to ensure that the breach is sealed and that the attack is over. The Federal Trade Commission recommends taking all affected equipment off-line immediately while IT staff fix any vulnerabilities.
Second, take a deep breath and don’t panic.
“The first thing you should not do after a breach is create your response on the fly,” says Mark Nunnikhoven, Vice President of Cloud Research at cyber security solution provider Trend Micro. He recommends preparing an incident response plan in advance of any problems; such a document can keep everyone focused, effective, and cool-headed in the aftermath.
Third, notify the appropriate parties.
Good communication is a make-it or break-it issue after a data breach. The law will guide you here; many federal, state, and local laws lay out disclosure requirements. Remember, much of the reputational impact comes from poorly handled communications. If necessary, hire a communications firm that specializes in crisis PR. Additionally: “Don’t ignore your own employees,” adds Heidi Shey, Senior Analyst of Security & Risk at Forrester Research. “You need to communicate with your employees about the event and provide guidance for your employees about what to do or say if they asked about the breach.”
CoAdvantage, one of the nation’s largest Professional Employer Organizations (PEOs), helps small to mid-sized companies with HR administration, benefits, payroll, and compliance. To learn more about our ability to create a strategic HR function in your business that drives business growth potential, contact us today.