Too many businesses are unprepared to deal with a security breach. You are the steward of the information that your site collects, including all of the user information entrusted to you by people who visit and use your site (your customers). And if you don’t take steps to protect that information, or at least deal with the aftermath of a security crisis, your company might not survive. The financial costs of a hack can be enormous, even if you aren’t an Internet retailer.
Regular Security Audits Can Update Your Readiness
Don’t wait until your website is brought to its knees to identify its vulnerabilities. Too many companies are woefully unprepared for a cyber attack simply because they haven’t bothered to do a comprehensive security assessment. Even small businesses should think about hiring a security consultant to identify security problems and recommend fail-safes and backups.
Think about it. The cost of prepping your business to prevent or deal with a security breach is much smaller than the liability you’ll face from extended network or website downtime, not to mention the costs of fines or legal action you could face if you’re found to not be in compliance with basic laws.
Be Transparent with Users about the Breach
If you don’t control the narrative, somebody else will. Transparency doesn’t equal a free-for-all of information, though. You need to have comprehensive, company-wide guidelines in place for who is allowed to communicate with the press and the public. You want to have a carefully crafted, unified message for the public, government agencies and the press in place as soon as possible. Without a plan in place, you may wind up releasing incomplete, inaccurate or damaging information.
Providing the appropriate information to users and the media is essential, and both groups typically want to know two things: what information was compromised and who did it. Responding quickly with updates on the situation via your blog and other outlets will prevent a vacuum of silence that can only be filled by speculation, confusion and uncertainty that critics will be more than glad to run wild in.
Focus on Compliance with Local and Federal Law
In the US at least, there are separate laws at the state and federal level which govern the security of information. What constitutes personal data, and when you’re required to notify the public should that data be compromised, differs from state to state. As we’ve already talked about, having clear policies regarding communication is essential for dealing with the aftermath of a cyber attack, and most of the groundwork for such an event should happen beforehand, probably as part of your disaster preparedness strategy.
Not knowing laws regarding disclosure of a breach, and who needs to be notified, could do serious damage to your company reputation, making you look incompetent at best and deceptive at worst.
Preparation Is Key in Any Case
Whether or not you actually get hacked may depend on your preparation. Unless you’re being targeted as a high-value target or for the ever more popular forms of hacktivist protest, you’ll likely be passed over in favor of more low-hanging fruit if you shore up obvious security vulnerabilities. In the event that your site is hacked, having an emergency response plan in place could mean the difference between an embarrassing PR crisis and a business-ending catastrophe.
image via Business Computing World