Many small business owners tend to think of cyber attacks as something that happens mostly to big companies. That’s because reports of multi-national enterprises being hit by hackers dominate the headlines. Unfortunately the many heart-breaking stories of small business incidents receive far less attention. The reality is, smaller targets can be easy game, due to (typically) lower levels of IT sophistication, funding and dedicated cyber security staff. Sadly, a cyber attack can be devastating for many small businesses, leading to huge financial costs, significant data loss, operational downtime and/or reputational damage that can be almost impossible to recover from.
Watch for the signs
So how do you know your business might have been hacked? Sometimes it’s easy and sometimes it’s not. Signs might include something being “off” with your financials, your hardware or software isn’t working right, your passwords don’t work, or you get complaints about your emails (e.g. contacts say they’re getting spam emails you didn’t send.) Cyber criminals are on average in business environments for 200 days before owners realize they have been attacked. However, some incidents are more obvious.
The key is to respond quickly and efficiently once you detect a breach. The first thing to do when (not if) a cyber attack happens to you: don’t panic. Take a breath, take stock and walk through the three key stages of crisis management – readiness, response and recovery. This can help your business come out the other side.
Readiness, Response and Recovery: Three Stages of Crisis Management.
While there are many steps you can take to prevent getting hacked, no business is impenetrable. Preparation is the actually your best bet to effectively manage and survive a cyber incident. That’s why a good cyber crisis plan can help your team respond quickly and effectively, and minimize harm. While you and your business may be stretched for time and resources now more than ever this year, it’s never been more important.
“Once you’re prepared, you also need to practice,” advises RBC Chief Information Security Officer Adam Evens. “It’s flexing a muscle – you need to do it regularly to make sure that you understand how to operate everything you’re putting into place.”
Stage 1: Readiness
So, if you have a plan in place already – and you think you’ve been hacked – now is the time to put it into action. If you don’t, you’ll need to think quick, so borrow this Cyber Security Crisis Management Template.
At a minimum, your plan should cover these elements:
A list of cyber risks, grouped by impact. Know what types of events might affect your organization. For example: a lost employee laptop or mobile device, system disruption or data breach. Phishing, ransomware and business e-mail compromise (using a company’s own e-mail accounts to defraud clients or employees) continue to be the biggest threats. Next, categorize their potential level of harm (e.g. critical, high, medium, low). Think about risks from all lenses – including technology, operations, payments, reputation and people. Remember, risks might not always come from an attack on your business; you could be impacted by attacks on a key supplier, employees or even clients.
Key stakeholders. These are people or companies that could be affected by a cyber event in your business – they may either be impacted by a hack or be in a position to help you through it. It’s a good idea to formally document their names, contact information and role.
How events will be communicated. How will you reach out to those affected? How much will you tell them, and when?
Communications templates. Time is of the essence in a crisis. It’s wise to prepare communications in advance, taking into consideration various messages, channels and levels of priority.
Stage 2: Response
Next up, you’ll want to think about how you want to respond and take action – then act.
In this stage, you will need to assess:
- What happened
- What are the impact(s)
- What your plan is in the short-term (minutes and hours), the medium-term (days and weeks) and the long-term (months and years). If you sufficiently prepared in the first stage, this is a matter of executing the plan you have already developed and practiced.
- How and when you’re communicating
It’s also at this point that you need to “own the breach,” as Evans says. “Owning the breach is very critical, because you control the messaging, and you act in the interests of your customer and your employee in protecting your business. If you do those things well, you maintain a level of integrity and a level of trust with the community that you service.”
Stage 3: Recovery
In the recovery phase, speed is essential to limit damage and minimize disruption. Once you’ve “secured the scene,” so to speak, you’ll need to assess damage to your technical systems, your finances, your brand, your operations and your stakeholders. You’ll also need to address any regulatory, compliance and legal fallout.
This is also a good time to look closely at how this happened, and take stock of lessons learned. Ask yourself:
- Has the problem(s) been fixed?
- What steps can we take to prevent this from happening again?
- Are my employees and suppliers fully educated on the risks and vulnerabilities that exist? Remember, as much of 95% of incidents are caused by human error, such as employees clicking on links, using weak passwords or being tricked into sharing information.
- Have any opportunities emerged out of the crisis?
“The odds of businesses getting hit with a cyber attack keep rising. And if you’re hit once, chances are that lightening might strike again. With those odds, incidents are a virtual certainty for most business. Business owners have a lot on their minds and juggling many mission-critical priorities this year, but cyber security is just too important to let slide,” Evans added.
Don’t Go It Alone
Keep in mind that through every stage of crisis management, you’ll be better positioned for success if you secure help from experts. Consider having a legal team on retainer to provide timely advice, IT experts to set up robust security systems and cyber education specialists to educate your employees.
For more a more in-depth take on ways to effectively protect your business, listen to Evans in our podcast Three Ways to Protect Your Business from Cyber fraud, or read Five Cyber Fraud Survival Tips to Protect Your Business in a Digital Workplace or: Five Things to Do Right Now to Ensure Your Business is Cyber Secure
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.