Dealing with data breaches is becoming a part of running a small business in Australia. It occurs whenever an unauthorised person accesses private information and makes it public. This is usually done by a cybercriminal with malicious intentions and can result in ransom payments being demanded or information sold online.
These consequences of a data breach can be devastating to small businesses, both financially and reputationally. While there are many cybersecurity practices Australian small businesses can do to avoid data breaches, knowing what to do after a data breach is equally important.
There are many different ways cybercriminals can cause a data breach. The threat is constantly changing, and businesses will need to handle each situation individually to shut it down and avoid damage.
The nature of the breach may be extremely technical, and may requiring the expertise of cybersecurity, IT, or data forensics staff to mitigate the risk.
However, there are things that can be done that fall on the shoulders of small business owners. This blog explores some of those methods and looks at some cybersecurity tips you can lessen the damage to your small business so you can go on trading for another day.
1. Contain the data breach
More often than not, a data breach will be discovered by the effected third party and not by the business or its employees. Therefore, the following three steps will all need to be taken swiftly to get ahead of the attack.
If someone discovers that there has been a data breach, small business owners is to immediately take steps to stop the breach, according to the Australian Government.
The first course of action would be to stop the unauthorised activity, recover the data lost and to shut down the breached system.
The following questions can help you to identify strategies to stop data breaches:
- What caused the data breach?
- Is the personal data still being shared lost?
- Who has access to your data and network?
- What can you do to protect the information from any further unauthorised access?
Try to be careful to not destroy any evidence during this initial stage that could be useful in identifying the source of the breach or that would allow someone to mitigate the risks.
2. Assess the damage
Once you have contained the data breach from wreaking any more havoc, the next step is to assess the damage. It’s essential to do this as fast and efficiently as possible.
As much information as possible about the data breach should be gathered and evaluated. Try to create a full picture of the data breach to ensure that you or an expert understands the risks to the affected people and to identify and take the appropriate steps to minimise the damage.
This assessment will also help entities decide who must be notified and to what extent.
Consider the following when assessing a data breach
- The type of personal data involved in the data breach
- The circumstances surrounding the data breach, including its causes and consequences.
- The nature and extent of the harm done to the affected persons, and the possibility of remedial action.
Try and write down any relevant information about the cyber attack that could be useful when reviewing the breach.
Information could include:
- The date, time, duration, location, and exact location of the breach
- The type of personal data involved in the breach
- How and who discovered the breach
- The cause and extent of the breach
- A list of affected persons or potential affected individuals
- The risk of serious injury to those affected
- Other harms may occur.
3. Inform your customers, staff, and anyone else related to your business of the data breach
If a data breach occurs, inform anyone involved in your business as soon as possible. Keeping a data breach a secret can only lead to bigger problems down the track.
Your small business is about providing a product or service to your customers and client. It’s about giving your employees a job so they can earn money and build their careers and skills. It’s about transacting with suppliers and wholesalers to help provide your business is stocked and ready for trade.
These people are involved in your business and may trust you to hold their personal and sensitive information.
If their information is compromised because of your business, they deserve to know.
It’s important you inform them from ethical, business, and legal perspective.
Ethical
Firstly, put yourself in the shoes of your stakeholders and look at the situation ethically.
Your data could be used to illegally apply for credit cards, which could impact your credit score.
Your sensitive medical or criminal information could be leaked for the world to see.
Anyone on the Internet could know your passwords, passport number, and other identification that could be used for any malicious purpose from fraud to identity theft.
If that happened to you because someone you trusted with your information had been hacked, wouldn’t you want to know?
Business
Secondly, even if you don’t care about the great debate of what is the right thing to do, hiding a data breach simply doesn’t make much business sense.
The cornerstone to business relationships is trust, and if you erode these relationships by hiding critical information, it is likely that your business circle will become significantly smaller.
A data breach is likely going to damage your reputation anyway. One study by PricewaterhouseCoopers (PwC) found that 85% of consumers would be willing to walk away and take their business elsewhere if a data breach occurs.
But imagine how much worse it’ll be if you keep it from them?
Legal
You may also have to legally report your data breach, depending on what industry you are in.
The Security of Critical Infrastructure Act 2018 makes it mandatory for businesses to report a cyber security incident if they are considered producing a critical infrastructure asset.
Business within these critical infrastructure sectors – which include critical data storage, food and grocery, education, and freight businesses among many others – are required to report data breaches to the Australian Cyber Security Centre.
Even if businesses don’t fall under these critical sectors, many will still need to adhere to the Privacy Act 1988 – legislation that is designed to protect the handling of information about individuals.
And while class actions about data breaches are rare in Australia compared to other countries like the US or the UK, the landscape is changing in the wake of recent high-profile cyber attacks.
4. Review the data breach
After steps one through three are completed, small business owners might want to review the incident and make improvements to their personal information handling.
It could be:
- A security review that includes a root cause analysis of the data breach
- Creating a prevention plan to prevent similar incidents from happening again.
- Audits are performed to verify that the prevention plan has been implemented.
- A review of policies, procedures, and modifications to reflect the lessons learnt
- Employ more in-depth and rigorous staff training
- A review of the stakeholders involved in the breach
It is important to learn from data breaches and improve the security and handling of personal information. This will help to prevent future incidents. It is important to consider data breaches in conjunction with other similar incidents that may have occurred in the past. This could indicate a problem with policies and procedures.
An excellent resource to developing a review of a cyber incident for small business owners is the Guide to Securing Personal Information by the Australian Government’s Office of the Australian Information Commissioner (OAIC).
From ensuring your devices and network are secure to using strong password practices, there are many things you can do to avoid an attack. Find out ten ways to avoid threats to your small business here.
5. Consider Cyber Liability insurance
The final step small business owners may want to consider is getting cyber insurance. While it is not designed to protect your business from hackers, a Cyber Liability policy can help reduce the severity of the financial and reputational damage of a cyber attack.
Cyber liability insurance is a type of business insurance which protects your business against both the legal costs and expenses related to cybercrime incidents. Your coverage may generally include cover for expenses and restoration costs relating to the following:
- Data breaches including theft or loss of client information
- Network security breaches
- Business interruption costs
- Forensic investigation into the cause or scope of a breach
- Data recovery costs
- Cyber extortion
- Crisis management costs (to protect or mitigate damage to your businesses reputation resulting from a cyber event)
- Loss and legal costs, including fines and penalties resulting from a third party claim for data or network security breach against your company
The bottom line
Dealing with a data breach is never going to be an easy situation to handle. An attack has the potential to cost you thousands and destroy the reputation of your small business.
Knowing what to do when a data breach occurs could save you from a lot of pain in the future. Hopefully these five steps will put you on the right track to getting back up and running after a cyber attack.
This information is general only and does not take into account your objectives, financial situation or needs. It should not be relied upon as advice. As with any insurance, cover will be subject to the terms, conditions and exclusions contained in the policy wording.
© 2022 BizCover Pty Limited, all rights reserved. ABN 68 127 707 975; AFSL 501769
ABN 68 127 707 975; AFSL 501769