“What do we do next?”

Picture this: Your small business has been hacked and you are now asking yourself, your business partners or your management team that question.

If the question characterizes the state of your ID-theft preparedness, the painful answer I have is: It’s already too late.

You need to be ready before your data is hit and immediately launch your data-breach incident response plan. In case you’re not ready, let me give you the essentials I provide to my business and civic audiences so you can be prepared.

The first priority for your business is to understand the three primary data-breach risk factors: people, processes and technology. The people factor includes current and former employees, customers, associates, vendors and independent contractors.

Processes include information technology, enterprise risk management, marketing, sales and human resources.

The technology that you rely on to conduct and grow your business also is being used by cybercriminals to identify vulnerabilities of your business.

Your second priority is to complete a data assessment of all types of information that your business collects, uses, stores and transmits.

• What type of data (on employees, customers or patients) is in your files?

• What type of personally identifiable information is in your business data (for example, name, address, Social Security number, driver’s license, bank account, credit/debit card, medical plan information)?

• What aspects of your business are performed within and outside your business?

• What would be the value of your data assets if they were stolen and made public?

• What would be your overall financial risk if your data was breached?

• In which states does your business conduct business and in which what states are your customers/employees/patients living?

• Does your business insurance include cyber/network liability?

Your third priority is to include the following five components in your small-business data-breach incident-response plan:

• Determine breach source. Make sure the data compromise is isolated and access is closed. You may need a forensic investigation company.

• Breach assessment. Determine the scope of the data breach and privacy and data-security regulatory requirements.

• Response plan. Include internal employee education and talking points; public relations, customer education and resources; business or consumer solutions to be considered; and the content and timely release of notification letters.

• Protection plan. Determine what protection services will be offered to the compromised record group and confirm professional call-center and recovery advocate-support services.

• Breach-victim resolution plan. Provide access to professionally trained and certified identity-fraud recovery advocates who will work on behalf of the victims to mitigate and resolve the issues caused by breach.

Templates are freely available online to assist with the creation of your data-breach incident response. Also, consider contacting your insurance broker and professional trade associations to which your business belongs. They often have good resources.

Mark’s most important: Promise yourself today that you will have a data-breach response plan in place by the end of the month.

 

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.