Many small business owners tend to think of cyber attacks as something that happens to big companies. Unfortunately, the many heart-breaking stories of small business attacks receive far less media attention. The reality is, smaller targets can be an easy game, due to (typically) lower levels of IT sophistication, funding, and dedicated cyber security staff. Sadly, a cyber attack can be devastating for many small businesses, leading to huge financial costs, significant data loss, operational downtime, and/or reputational damage that may be nearly impossible to recover.
Watch for signs you may have been hacked
So how do you know your business may have been hacked? Sometimes it’s easy and sometimes it’s not. Signs might include something being “off” with your financials, your hardware or software not working right, your passwords not working, or you get complaints about your emails (e.g., customers or contacts say they’re getting spam emails you didn’t send).
The key is to respond quickly and efficiently once you detect a breach. The first thing to do when (not if) a cyber attack happens to you: don’t panic. Take a breath, take stock and walk through the three key stages of crisis management — readiness, response and recovery. This can help your business come out the other side.
The 3 Stages of Fraud Management
While there are steps you can take to help prevent getting hacked, no business is 100% impenetrable. Preparation is your best bet to effectively manage and survive a cyber incident. That’s why a good cyber crisis plan can help your team respond quickly and effectively, and minimize any damage. While you and your business may be stretched for time and resources now more than ever, it’s never been more important.
“Once you’re prepared, you also need to practice,” advises RBC Chief Information Security Officer Adam Evans. “It’s flexing a muscle — you need to do it regularly to make sure that you understand how to operate everything you’re putting into place.”
Stage 1: Readiness
If you have a plan in place already and you think you’ve been hacked, now is the time to put it into action. If you don’t, you’ll need to think quick, so use this Cyber Security Crisis Management Template.
At a minimum, your plan should include:
- A list of cyber risks, grouped by impact. Know what types of events might affect your organization. For example a lost employee laptop or mobile device, system disruption, or data breach.
- The potential level of harm for each risk (e.g., critical, high, medium, low). Think about risks from all lenses — including technology, operations, payments, reputation and people. Remember, risks might not always come from an attack on your business; you could be impacted by attacks on a key supplier, employees or even clients.
- Key stakeholders. These are people or companies that could be affected by a cyber event in your business — they may either be impacted by a hack or be in a position to help you through it. It’s a good idea to formally document their names, contact information, and roles.
- How events will be communicated. How will you reach out to those affected? How much will you tell them, and when?
- Communications templates. Time is of the essence in a crisis. It’s wise to prepare communications in advance, taking into consideration various messages, channels, and levels of priority.
Stage 2: Response
Next up, you’ll want to think about how you want to respond and take action — then act. If you sufficiently prepared in the first stage, this is a matter of executing the plan you have already developed and practiced
In this stage, you will need to assess:
- What happened
- What are the impacts
- What your plan is in the short-term (minutes and hours), the medium-term (days and weeks) and the long-term (months and years).
- How and when you’re communicating with stakeholders
It’s also at this point that you need to “own the breach,” as Evans says. “Owning the breach is very critical, because you control the messaging, and you act in the interests of your customer and your employee in protecting your business. If you do those things well, you maintain a level of integrity and a level of trust with the community that you serve.”
Stage 3: Recovery
In the recovery phase, you’re trying to limit the damage and minimize disruption to your business. Once you’ve addressed the immediate risk so to speak, you’ll need to assess damage to your technical systems, your finances, your brand, your operations and your stakeholders. You’ll also need to address any regulatory, compliance and legal issues.
This is also a good time to look closely at how this happened, and take stock of lessons learned. Ask yourself:
- Has the problem(s) been fixed?
- What steps can we take to prevent this from happening again?
- Are my employees and suppliers fully educated on the risks and vulnerabilities that exist? Remember, as much as 95% of incidents are caused by human error, such as employees clicking on links, using weak passwords or being tricked into sharing information.
- Have any opportunities emerged out of the crisis?
“The odds of businesses getting hit with a cyber attack keep rising. And if you’re hit once, chances are that lightning might strike again. With those odds, incidents are a virtual certainty for most businesses. Business owners have a lot on their minds and juggling many mission-critical priorities this year, but cyber security is just too important to let slide,” Evans said.
Get help from experts
Keep in mind that through every stage of crisis management, you’ll be better positioned for success if you secure help from experts. Consider having a legal team on retainer to provide timely advice, IT experts to set up robust security systems and cyber education specialists to educate your employees.
For more ways to effectively protect your business, read Protect Your Business Against Cheque and Over Payment Scams.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.