Protecting Your Small Business from a Security Breach, Part 1: Update Policies and Procedures

Protecting Your Small Business from a Security Breach, Part 1: Update Policies and Procedures

Written by: USB Security Team

As a small business owner, it is becoming increasingly important to stay up to date on what is happening in the cyber security world. Lately, cyberattacks on businesses have been occurring more and more often and are making the news because of it. Hackers can steal sensitive data from your business and your customers, so small business security means you need to be protected and prepared. Union Savings Bank wants to help.

While any business is susceptible to security breaches, small business cyberattacks can be especially appealing to hackers. At the end of the day, hackers want to get the greatest return on investment possible, so businesses with weaker security that require less time and money to hack into tend to catch their eye. For many small businesses, resources such as on-staff cybersecurity experts and robust security software do not fit into the budget, leaving these establishments more vulnerable to attack.

Protecting your small business from security breaches is an ongoing process, but it doesn’t have to be overwhelming. You can start protecting your small business right now by making adjustments to your everyday habits and training new employees from day one. In the first installment of our three-part blog series, we will discuss how implementing the right policies and procedures can not only help your business recover from a breach, but also prevent attacks in the future.

How Do I Know If My Business Has Been Breached?

Even with the most robust security measures, a security breach or cyberattack can still happen to any business. Unfortunately, most small businesses learn they have been hacked after their customers start complaining of extraneous charges on cards they have recently used at the breached business. Detecting a breach as early as possible is paramount to protecting both your business and your customers.  The three most common entry points through which a hacker can gain access to your business are skimmers, your business’s network and compromised business emails or email addresses.

Skimmers are extremely sophisticated devices that hackers hide on credit card readers, ATMs, gas pumps, etc. for cyberattacks that mirror the exact layout of the machine and read and store credit and debit card information. Some customers have even pulled the skimming device off the top of the machines themselves.

When a network is hacked, the primary point of access tends to be human beings. Hackers use a technique called social engineering. Think of your business like a castle. Instead of banging on the front gates, hackers will try to slip in the side door by facilitating targeted human-to-human interaction with an employee, designed to gain the employee’s trust.

The end goal is to get the employee to divulge sensitive information and compromise business security. To reach that goal, hackers will do things such as study employees’ social media or create email addresses that are very similar to company email addresses to look like they are part of the organization and therefore trustworthy.

The hackers will gather knowledge and information about what is going on within the company, waiting to catch an employee off guard to use them to sneak into the system. They may send emails with attachments or links to an external party that will install malware on the employee’s computer, allowing them to run external commands on the computer. This is how a large security firm was breached in 2011.

In the case of a network breach, it is not uncommon for the government to notify small businesses of the breach. Sometimes the business’s network has been breached as part of a larger breach or a series of cyberattacks the government is investigating.

This does not mean that business owners are left to passively wait until the government lets them know they have been hacked. As a business owner, there are ways you can spot network and data security breaches. Look for unusual activity on your network, especially during non-business hours. Hackers will do their best not to raise red flags by avoiding activities that don’t normally occur during the day. You can monitor network activity by regularly checking your firewall logs. Simple routers will also give traffic pattern indications.

If your system starts behaving strangely – maybe it is suddenly operating slower than normal, the credit card processor slows down, computers start slowing down, programs start to crash – then it is very likely that something has been changed. This does not necessarily mean anything has been breached, but it is worth looking into. Where business security is concerned, it is certainly better to be safe than sorry.

My Business Has Been Breached, What Do I Do?

If you know your business has been breached, the first thing you should do is contact law enforcement and try to contain the breach. You want to get law enforcement involved as soon as possible regarding a recent data breach so that they have fresh information to work with. In some cases, law enforcement may have to let the breach continue to trace it.

If your customers’ information was breached, you need to notify them once you have adequate information to explain what happened. There are laws that require businesses to follow certain protocols that vary by state. In the state of Connecticut, businesses are required to notify customers that their personal information has been breached within 90 days unless law enforcement requests that the notification is delayed or if law enforcement determines the cyberattack will not harm the customer.

You may also want to hire a private cyber forensic firm to investigate the breach. They can look at your network and determine what was lost, when it was lost, how the criminals got into the system, how long they were in your system, if they are still in your system and if they can get back into your system.

Policies and Procedures

Make sure you have clear security policies in place that have been clearly communicated to all employees. This may include changing passwords, blocking dangerous websites and limiting who has access to sensitive data.

As a small business owner, you should have a plan to follow if your business ever experiences cyberattacks. Even if this plan is as simple as knowing who to notify when it happens, you and your employees know exactly what to do in case of a security breach. We will discuss employee training in our next post, but here is a general plan:

1. Notify law enforcement as soon as possible. As soon as you notice a difference in your network (for example, a sudden increase in traffic, especially outside of normal business hours), contact your local police department. You can also contact your local FBI office, or the U.S. Secret Service. The appropriate law enforcement officers will investigate the breach and work with you to contain it.

2. Contain the breach. Once you’ve notified law enforcement you will want to work with them to contain the breach. In some cases, law enforcement may have to allow the breach to continue to determine its origin and the best way to expunge and contain it.

3. Notify customers of stolen information after you know exactly what was stolen. You are legally required to notify customers whose data has been stolen or compromised. The laws regulating the notification process differ by state. In the state of Connecticut, you must notify these customers within 90 days of the breach. Send them a written notice, outlining what happened, how it happened, how their data was affected, how you are preventing future attacks and what action they can take. In addition to these actions being required by law, you want your customers to trust you. You may have to take steps to earn their trust back.

4. Call a private firm to investigate. Consider hiring a forensics firm to investigate the breach. They can determine exactly how the hacker got in, what information he or she stole, how long he or she was there and if he or she is still there. They can also help find potential back doors that hackers can use in the future, and they can close them. These firms specialize in helping business owners protect their networks, so you can work with them to find any additional holes in your network.

5. Take appropriate steps to prevent additional cyberattacks. Use the findings from the law enforcement’s and the private firm’s investigations to properly defend your network from future attacks. Once you know what went wrong and how to prevent anything from going wrong in the future, inform your employees. You need to communicate openly and clearly with your employees to ensure that everyone is doing their part to protect your business’s network. Stay tuned for the second installment of this series to learn more about training employees.

6. Develop a crisis communications plan to ensure clear communication internally and to help manage your business’s reputation after an attack. In the event of cyberattacks, you must have a communication plan ready to go that addresses the attack both internally and externally, including notifying affected customers. We will be discussing this plan in detail in the third installment of this series, so stay tuned!

Your business security plan needs to be updated regularly based on what is happening and changing in the cyber security world. A plan from 2013, for example, may no longer be sufficient to fully address and resolve a breach that occurs in 2018. Hackers are constantly evolving, so your small business cyber security plan needs to evolve with them.

Stay tuned to learn more about security breaches and cyberattacks, including how to train your employees, how often you should change passwords, how to ensure you’re staying up to date on data security best practices and how to manage your business’s reputation after an attack by subscribing to our Business Blog.