Don’t think for a minute that the “little guys” are safe. Small and medium sized businesses are in fact often preyed upon by cybercriminals, who view them as having fewer resources to manage cybersecurity. Making matters worse, attacks against SMBs are increasing, despite the Chip and PIN payment technology, as smaller vendors can be slower to adopt the new system.
With the threats continuing to increase and SMBs being an attractive target for attack, it’s not a matter of if but when a company will experience a security incident. It is critical that small retailers are up to speed on how to best prepare for and mitigate the fallout of a major security incident. The following are key areas of consideration to keep in mind when managing this major risk.
Don’t Wait – Create A Strong Incident Response Plan
First and foremost, it is important to have a well-practiced response plan and team in place before an incident occurs. The plan should outline precise steps to take in the event of a breach, and each team member’s responsibility. It should also include sample communications materials, including media statements, customer Q&A and customer letters that can be customized when a data breach is discovered.
Advertisement
If an organization does not have existing in-house legal counsel, communication experts or security teams, it will be important to identify the external experts needed to help manage a major incident. Be sure to determine specifically who you would like to work with ahead of time, and introduce them to your incident response team. The benefits of this approach are greater alignment and the reduced likelihood that you will have to change providers midstream during a live data breach, which can prove devastating and slow the communication process with customers. Worse, of course, is having to put a plan together after a breach.
Further, a plan is only good if it actually works in practice. Like a fire drill, the plan should be practiced regularly to ensure everyone knows precisely how to respond in the event an incident occurs.
Put Customers First
While all businesses must be prepared to protect customers after a data breach, small retailers in particular need to do a good job of communicating with consumers, as the potential reputational and resulting financial loss can be devastating. According to reports from the House Committee on Small Business, a staggering 60% of SMBs may go out of business within six months of a data breach. A large part of this can be attributed to the financial impact of customer loss.
To combat this loss, take into account that 63% of consumers believe organizations should be obligated to provide identity theft protection in the event of a data breach. State attorneys general agree, with several instituting stricter requirements for notifying and protecting customers. Providing these services after a breach can help protect your reputation and ultimately reduce impact on the business.
Communicate Effectively
Keep in mind that a brief notification letter offering protection services to customers is not always enough. How you word your letters is important in how effective they will be in instilling confidence with customers. Show genuine empathy and provide customers practical and easy-to-follow steps to protect themselves from fraud. This includes checking credit reports and monitoring financial or health records to identify any suspicious activity.
Other methods of communication to consider include an FAQ section on your company web site and a call center. Call center providers can help your company to answer more detailed questions and customer concerns about a data breach and how to enroll in protection services. Providing this open line of communication can go a long way in retaining customer trust. Many people still prefer talking to a person versus reading FAQs on a web page.
Research Cyber Insurance
Companies should consider purchasing a cyber insurance policy. A good insurance policy should scale to a small business’ needs, and can help significantly reduce costs in the long run. Insurance policy providers also offer pre-selected expert partners to work with, which can be critical for small businesses that may not have all the data breach resources they need in-house. This often includes negotiated favorable rates as well, helping to further reduce the cost of managing an incident.
Data breaches are going to happen; knowing how to respond in advance can very possibly save a small retailer’s business. There are a lot of resources available, so it’s wise to take advantage of those now — before you’re trying to figure it out after the fact.
More information on data breach preparedness and resources can be found at the Experian Data Breach Resolution web site and the Experian Data Breach Resolution blog.
Michael Bruemmer, CHC, CIPP/US, is Vice President with the Experian® Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space, where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the Information Security Media Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board.
