A cyberattack can instantly cause significant harm to a business. But the chance of a startup being hit is slim. So why bother with robust precautionary measures. Right?
Wrong.
Cybercriminals aren’t picky about who they target and, with fewer resources to protect themselves, smaller businesses are actually more likely to be a victim.
You might think your startup doesn’t hold data that’s of any interest to a hacker, but unfortunately, that’s not the case. Payment details, personal information, company financials and passwords are all valuable digital assets to a cybercriminal. So, if you store any data digitally, your business is at risk.
Taking an “it’ll never happen to me” approach to cyber risk results in many startups and small businesses being unable to recover from an attack, simply because they’re completely unprepared to deal with the fallout.
Cost is another major factor preventing startups from getting the cyber protection they need. When your business is just starting out, every cent counts. It can be difficult to justify the cost of investing in the means to keep your data secure, but the cost of not doing so can be far higher, and can put the future of your startup in jeopardy before it’s even had the chance to get off the ground.
Win a Dell XPS Work From Anywhere Bundle: Register here
How can startups protect themselves from a cyberattack?
All startups should:
- Use anti-virus software and install firewalls
- Back up their systems and data on a regular basis
- Get an IT security expert to check for vulnerabilities
- Purchase a cyber liability insurance policy
- Perform stress tests on IT infrastructure
- Use hard to guess passwords, encryption or other authentication methods
- Keep track of what software and apps are being used
- Establish a data security policy
- Train employees on cyber threats
- Be vigilant when using public Wi-Fi, clicking links or visiting websites
- Create a backup so systems and data can be restored
Prevention is better than cure, but sadly, even startups that do take cybersecurity seriously will never be able to prepare for every risk. This doesn’t mean that planning for a cyber incident should be ignored. In fact, small businesses that are unprepared are far more likely to have to shut down for good.
Related: Don’t Leave Your Startup Vulnerable to a Cyberattack
What action should a startup take if it is hacked?
It’s not so much a case of “if” your organization will suffer a cyberattack but “when.” With the odds stacked against you, it’s important to know what to do if data is compromised.
Follow these 10 steps to make sure your startup survives a cyberattack.
- Make cyber part of your risk planning
With more and more data being created and stored digitally, developing a risk recovery and business continuity plan that includes a detailed step-by-step plan of what action needs to be taken following an incident is crucial.
Many startups are completely reliant on technology to run their business. Think of the impact of not being able to access files, get online, or take payments through your website and use this as a starting point to plan for every scenario involving digitized data.
Being able to refer to this document when you need it will ensure processes are followed in the correct order and that nothing important is overlooked.
- Tell your insurer
With cybercrime on the rise, many insurers have started offering cyber policies to small businesses.
However, 91 percent of small business owners don’t have cyber liability insurance, perhaps because of a lack of awareness about what the coverage offers.
A cyber liability policy can take care of most, if not all, of the expense that comes with managing the aftermath of a breach, including:
- Investigating the breach
- Restoring data, systems and your website
- Informing customers
- Legal fees and compensation payouts if you’re sued for someone’s data being compromised
- Legal defense if you face legal action by local or federal authorities
- Regulatory penalties or fines
- Income lost and extra expenses if a cyberattack stops you doing business
- Credit monitoring for victims of identity theft
- Reputation management
- Resources to provide support for customers
Not only are costs covered, some insurers will source the experts your business needs to get back on track, leaving you with more time to focus on running your startup.
- Find out what happened as soon as possible
When it comes to investigating how a breach occurred, time is of the essence.
Just a few common reasons a breach may have occurred are:
- A device was lost or stolen
- Weak passwords were used
- Human error (clicking suspicious links in emails or being tricked into giving out security details, for example)
- Not keeping IT systems and software up-to-date
- Malicious software/viruses
- Using an unsecured network to access the internet (such as public Wi-Fi)
Startups are far less likely to have an in-house IT security expert who can investigate what went wrong. If that’s the case, it’s time to bring someone in to help as soon as possible.
- Bring in an IT expert
It can be difficult to pinpoint the exact reason a breach occurred. Not to mention the fact that vulnerabilities could have been overlooked even after the incident. An IT expert can assess the situation, provide guidance on how to remedy the issue, and offer support to get systems back up and running.
- Getting back online
After an attack, it might be necessary to wipe data from the network or devices, or revert to a previous version, which is why it is so important to always keep a backup in order to limit the impact of data loss. Bear in mind that even once data and systems have been restored, there may be delays caused by reconfiguration of key settings, including resetting passwords and updating user access levels.
- Determine whether it’s possible to do business
If you haven’t been able to get systems back online or retrieve data, you may not be able to get back to business as usual straight away. Even if the recovery process went smoothly, if the breach is severe, it may be a while before systems, websites, or software are fully operational.
- Contact local law enforcement
Like any other crime against your business, cyberattacks need to be reported to local law enforcement. Yet many small businesses are unaware they should contact the police, with the majority leaving out this important step in the recovery process.
After data has been compromised, your customers will want to know you are taking the breach seriously. Although opening an investigation may slow down recovery efforts in the long term, demonstrating your startup is dedicated to taking action against the perpetrators can prevent the headaches a PR crisis can cause further down the line.
Sign Up: Receive the StartupNation newsletter!
- Hire a PR firm specializing in crisis management communication
How you handle announcing a cyber incident can make or break your startup’s reputation. While a big brand may have the client base to take a knock to their customer perception, startups don’t. This is why getting the messaging right following a crisis is so crucial.
Working with a PR agency that can distribute a response helps open up lines of communication by letting customers know your business is taking the breach seriously, and is taking the necessary steps to resolve the issue.
- Make sure customers and regulators are updated
Once the word is out, your business will need to outline exactly what’s being done to put customers’ minds at ease. This may include things like hiring additional staff to offer support and advice to concerned customers, or offering credit monitoring for free to those affected.
If your startup has to adhere to regulations, it’s likely you’ll need to inform relevant bodies about the breach. There may be fines to pay, especially if the incident occurred due to non-compliance.
- Review and update recovery plans
Once you’ve successfully deployed all steps in the recovery plan and things are getting back on track, it’s important to review how effectively the incident was managed, what could have gone better, and what needs to be done to prevent future occurrences.
Reviewing the plan can present an opportunity to update policies around data security, provide staff training on cybersecurity, audit systems and software to make sure they are up to date, and schedule time to perform stress tests to spot any vulnerabilities in IT security.
Startups are at high risk of being involved in a data breach. Even a single cyber incident can push an organization to breaking point, which is why IT security needs to be made a priority no matter how big (or small) a business is.