Business Solutions Center
Business Columns


Cyber-Breach Planning for Small Businesses

Small Business Technology Tip - Dave Pelland
Dave Pelland Dave Pelland has extensive experience covering the business use of technology, networking and communications tools by companies of all sizes. Dave's editorial and corporate experience includes more than 10 years editing an electronic technology and communications industry newsletter for a global professional services firm.

Cyber-Breach Planning for Small Businesses

Cyber-Breach Planning for Small Businesses

While most small-business cybersecurity-planning rightfully focuses on preventing breaches, it’s also prudent to create a response plan in the event a cyber incident is discovered.

Given the increased severity of the cyber threat and the fact that small businesses are a consistent target for hackers, taking time to plan an effective response can go a long way in mitigating the unwanted effects of a cyber breach.

According to published statistics, 58 percent of reported data breaches affect small businesses annually. This makes the idea that a company would be too small to be attacked, wishful thinking; and highlights the importance of a small business developing a response plan without the stress and time pressures that will be present during a breach.

Your small-business response plan should have three primary objectives:

  • Recovering any compromised data
  • Restoring business operations
  • Notifying anyone affected by the breach

As you start the process, your plan has to identify what a breach looks like. This may vary according to any industry or compliance requirements your company may fall under, but in general terms, a breach will involve the loss or compromise of personally identifiable information about customers, employees, or suppliers; or the loss or theft of the company’s financial, trade secrets or other confidential information.

A number of sample response plans and planning templates are available, including one from the National Institute of Standards and Technology (NIST). NIST offers a series of guidelines covering preparation, detection, containment and recovery, and post-incident activity.

A key aspect in any plan will be identifying your most important data, and trying to restore that data first. It’s critical to have an online backup plan that is always running, and to periodically make sure that plan is backing up your critical business data as you think it is.

Data recovery is often the most important aspect in getting your business running after a breach, and can make the difference in your company’s ultimate survival after the breach.

Define Your Team

It’s also important to establish a team to help coordinate your response-planning as well as to carry out that plan. You want to identify who’s going to do what, and what they’re going to say, as an incident is uncovered and your recovery begins. For instance, it will be important to inform employees, customers, suppliers, and potentially law enforcement.

You’ll probably also need to identify and alert external resources such as your IT consultant, your attorney, and if you have cyber insurance, your agent or broker. Getting legal advice during a breach can be helpful in informing your company whether the breach has triggered a notification requirement, and can potentially help mitigate other effects of the breach.

It’s also important to understand that your plan needs to be reviewed periodically, such as annually, to make sure the outlined threats and contact information for team members are all current. Ransomware has emerged as a leading threat in the past few years, for example; in your plan you should consider circumstances in which you may choose to pay a ransom (and how much).

Reviewing this data will be a helpful step in making sure your cyber-response plan reflects your company and its needs accurately, and that your company is better positioned to respond to a cyber breach.


Read other business articles by Dave

The information included on this website is designed for informational purposes only. It is not legal, tax, financial, or any other sort of advice; nor is it a substitute for such advice. The information on this site may not apply to your specific situation. We have tried to make sure the information is accurate, but it could be outdated or even inaccurate, in parts. It is the reader's responsibility to comply with any applicable local, state, or federal regulations, and to make their own decisions about how to operate their business. Nationwide Mutual Insurance Company, its affiliates, and their employees make no warranties about the information, no guarantee of results, and assume no liability in connection with the information provided.