3 Crucial Steps to Take After a Data Breach

If the worst-case scenario happens and your business suffers a data breach, here are the three key steps you need to take right away.

In our last two articles, we discussed how to protect your business against a phishing attack and five ways to avoid a data breach. But what do you do if you unfortunately experience this type of crisis? The following guidance from the Federal Trade Commission’s East Central Region (FTC) can help you make smart, sound decisions.

Share
  • Email
  • Compass Payroll

    Here are three important steps to take following a data breach at your company:

    Post-Data Breach Step No. 1: Secure Your Operations

    Once you are the victim of a data breach, you want to work quickly to prevent any further compromise of your company’s information. In order to do so, we recommend taking the following actions to secure your operations.

    Assemble a team of experts. This could include independent forensic investigators to determine the source and scope of the breach and legal counsel with expertise in privacy and data security. 

    Secure physical areas. Take steps like locking compromised areas and changing access codes. 

    Stop additional data loss. Take affected equipment offline immediately, but don’t turn the machines off until the forensic experts arrive. If possible, put clean machines online in place of affected ones. Also, update credentials and passwords of authorized users. 

    Remove improperly posted information. If the breach involved anything improper posted on your website, remove it. Contact search engines to ensure that they do not archive personal information posted in error. Also, search for your company’s exposed data and contact any websites that have saved a copy of it and request its removal. 

    Interview people who discovered the breach. Talk to anyone else who may know about it. 

    Do not destroy any forensic evidence. Keep all evidence from your investigation or remediation.    

    Post-Data Breach Step No. 2: Fix Vulnerabilities

    It’s necessary to have a long-term plan when it comes to preventing another data crisis. Take a look at all areas of your business and determine where there are vulnerabilities that could lead to further breaches.

    Think about service providers. If service providers were involved, examine if they need the access that they currently have. Also, make sure they are taking the steps they need to prevent another breach.

    Check your network segmentation. Analyze how effective your segmentation plan was and whether you need to make any changes. 

    Work with your forensic experts. Your forensic experts will help you review and analyze data and determine issues like if encryptions were enabled, who had access to certain data, what types of information were compromised and the number of people affected. Use the forensic reports and take the recommended remedial measures as soon as possible. 

    Have a communications plan. Create a comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners and other stakeholders. Don’t make misleading statements about the breach, withhold key details that might help people protect themselves and their information or publicly share information that might put them at further risk. Be sure to put clear answers to the most important questions in an easy-to-find spot on your website. 

    Post-Data Breach Step No. 3: Notify Appropriate Parties

    Following a data breach, it’s imperative that your company maintains good communication, with the constituents whose information may have been compromised, as well as appropriate outside groups and law enforcement. Know which parties you are responsible for communicating with an the laws surrounding these notifications.

    Determine your legal requirements. Ohio Revised Code Section 1349.19 requires expeditious notification of security breaches involving computerized personal information data that could reasonably put a person at risk of identity theft or fraud. Check other state and federal laws or regulations for any requirements that are specific to your business or the types of information compromised. 

    Notify law enforcement. Call your local police department immediately to report the situation and the potential risk for identity theft, and you can also contact your local FBI or U.S. Secret Service office for more assistance. For incidents involving mail theft, contact the U.S. Postal Inspection Service.

    Determine if the breach involved electronic health information. If so, check if you’re covered by the Health Breach Notification Rule. If you are, you must notify the FTC and in some cases, the media. Also, check if you’re covered by the HIPAA Breach Notification Rule. If so, you must notify the Secretary of the U.S. Department of Health and Human Services (HHS) and in some cases, the media. HHS’s Breach Notification Rule explains who you must notify, and when. 

    Notify affected business. If account access information, like credit card or bank account numbers, has been stolen, but you don’t maintain the accounts, notify the institution that does. If you collect or store personal information on behalf of other businesses, notify them of the data breach. If names and Social Security numbers have been stolen, contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, advise the credit bureaus if you are recommending that people request fraud alerts and credit freezes for their files. 

    Notify individuals. Quickly notify individuals that their personal information has been compromised so they can take steps to reduce the chance that their information will be misused. In deciding who to notify, and how, consider state laws, the nature of the compromise, the type of information taken, the likelihood of misuse and the potential damage if the information is misused. For example, Ohio law specifies that if disclosure is required, written and telephonic notice are always permitted, but other methods of communication may also be permitted under certain circumstances. When notifying individuals, the FTC recommends you:

    •             Consult with your law enforcement contact about the timing of the notification so it doesn’t impede the investigation;

    •             Designate a point person within your organization for releasing information. Consider using letters, websites, and toll-free numbers to communicate with potentially affected persons. If you don’t have contact information for all of the affected individuals, you can use press releases or other news media notification; and

    •             Consider offering at least one year of free credit monitoring or other support, like identity theft protection or identity restoration services, particularly if financial information or Social Security numbers were exposed.

    Ohio law does not prescribe what information must, or must not, be provided in your breach notice, but other state laws may. In general, unless your state law says otherwise, you’ll want to do the following things.

    •             Clearly describe what you know about the compromise, including: how it happened; what information was taken; how the information has been used (if you know); what actions you have taken to remedy the situation; what actions you are taking to protect individuals, such as offering free credit monitoring services; and how to reach the relevant contacts in your organization.

    •             Tell people what steps they can take, given the type of information exposed, and provide relevant contact information. For example, people whose Social Security numbers have been stolen should contact the credit bureaus and the IRS Identity Protection Specialized Unit at 1-800-908-4490. See IdentityTheft.gov/databreach for information on appropriate follow-up steps after a compromise, depending on the type of information that was exposed. Consider adding this information as an attachment to your breach notification letter.

    •             Include current information about how to recover from identity theft. Refer people to IdentityTheft.gov for a list of steps. 

    •             Consider providing information about the law enforcement agency working on the case, if the agency thinks it would be helpful.

    •             Encourage people who discover that their information has been misused to file a complaint with the FTC, using IdentityTheft.gov. This information is entered into the Consumer Sentinel Network, a secure, online database.

    •             Describe how you’ll contact people affected by the breach in the future. For example, if they know that you will only contact them by mail and won’t ever call them, this information may help victims avoid phishing scams tied to the breach. Consider telling them that you will post the latest information on your website. 

    Consult with your law enforcement contact about what information to include so your notice doesn’t hamper the investigation. 

    The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357).  



    Pre-Check
    Next up: 3 reasons to make energy efficiency a priority in your 2016 budget
  • More in Operations
  • 3 reasons to make energy efficiency a priority in your 2016 budget

    Energy prices are as low as we’ve seen since 2012–but we anticipate increases might be heading our way. The balance between record-setting natural gas production and soaring gas-fired electric generation could be the key determinant in price direction. As you begin working on your 2016 energy budget you could have some questions about how to plan.

    Energy prices are as low as we’ve seen since 2012–but we anticipate increases might be heading our way. The balance between record-setting natural gas production and soaring gas-fired electric generation could be the key determinant in price direction. As you begin working on your 2016 energy budget you could have some questions about how to plan.

    Share
  • Email
  • Compass Payroll

    Conducting an energy assessment now will give you time to explore multiple energy-saving opportunities, where to prioritize your time and resources, and investigate available rebates, incentives, and financing options.  If you want to cut operating costs and boost profit margins in 2016, starting now will allow you to consider the options before you’ve tapped out next year’s budget. You can use the savings on the low utility bills to pay for those projects to reduce energy usage.

    Here are three ways to incorporate energy efficiency into your 2016 budget plans.

    1.  Reach deep

    Take a look at next year’s budget. How much are you planning to spend on energy bills and building maintenance?  If you could permanently reduce those costs, what would you do with the savings?

    An efficiency upgrade can reduce energy bills by 25% to 40%, which can significantly cut overhead spending.  Minimizing overhead is one of the fastest ways to improve your bottom line without making compromises within your business, such as raising prices or reducing employee incentives.  You will also benefit from increased comfort, productivity, and safety. This in turn will reduce non-energy related expenses such as sick leave and health care costs.

    2.  Don’t let your size deter you

    Small commercial buildings have tremendous energy saving potential. Implementing efficiency measures is a safe investment because you can easily determine savings through an energy audit. Although one energy conservation project drives energy savings and cost reduction, multiple projects that benefit the whole-building provide better payback and return-on-investment which makes your cash flow that more attractive.

    3.  Tune up and unplug

    An energy efficiency upgrade doesn’t necessarily mean replacing old equipment. Retrofitting, right-sizing, commissioning, and tuning existing technology is often a better solution as it can yield similar energy savings and extend the life of older equipment.

    According to the U.S. Energy Information Agency’s Annual Energy Outlook 2013, miscellaneous end uses (which include various plug loads) are the fastest growing end-use area in commercial buildings. Plug loads now account for nearly 30% of electricity consumption in a typical office—double the increase from 2003 when plug loads accounted for less than 15% of consumption.  Conduct a walkthrough of your space to find what’s plugged into the wall that doesn’t need to be. If it has an indicator light and it doesn’t need to be on, unplug it to eliminate vampire load waste.

    Example energy savings

    • Adding controls to HVAC and lighting can reduce energy use by 40% and improve the longevity of the equipment, while providing greater comfort and boosting employee productivity. Switching to LED bulbs can significantly reduce light-generated heat gain by 50%, so the HVAC system will work less to cool the same amount of space.
    • Installing a cool or white roof coating can save up to 15% of annual air conditioning energy use, significantly reducing wear and tear on the HVAC system.
    • Energy efficient solar window film can also reduce cooling costs by up to 30%.

    It’s important to stay ahead of the curve and not let rising energy prices impact your budget and ability to remain competitive. We know you want more control over your energy costs and are increasingly embracing energy management as a key strategic business driver. It just makes business sense. COSE is here to help you realize those objectives and make your energy work for you. 

    Pre-Check
    Next up: 3 Steps to Budgeting Long Term for Your Electricity Spend
  • More in Operations
  • 3 Steps to Budgeting Long Term for Your Electricity Spend

    Understanding that budgeting for a small business can be a major undertaking.  The energy that powers your business is a large expense that factors into your long term budget.  But determining your budget doesn’t have to be a major task.  Follow these three steps to help you establish your energy budget.

    Understanding that budgeting for a small business can be a major undertaking.  The energy that powers your business is a large expense that factors into your long term budget.  But determining your budget doesn’t have to be a major task.  Follow these three steps to help you establish your energy budget.

    Share
  • Email
  • Compass Payroll

    1. Talk to an Energy Consultant.  As your energy ally, they can help you decipher the differences between all of your options and assist you with choosing the best energy product for your budget.  It’s their job to make sure you fully understand what you’re buying.

     

    2. Choose a term that meets your long term budget requirements.  For some businesses, the duration of the term is as important as the price per kWh or the price of gas. Use a consultant that understand your needs.  All customers have different energy needs, so look for an offer with a variety of contract term lengths, including 1, 2, 3 and even 4 year terms or sweet spot pricing. Locking in for an extended term will allow you to create a long term budget for your small business’s energy.

     

    3. Understand your energy consumption.  Create your monthly budget based on your historical usage and energy spend.  Remember: Although a fixed rate locks in your price per unit of energy, the cost on your monthly bill depends on your energy usage. The less energy you use, the less you will pay.

    Establishing a long‐term energy budget is relatively simple. Once you know what you’re comfortable with, all you have to do is choose your product, lock in your term, and create a budget based on your past energy usage.  And remember, whenever you have questions, we’re always here to help.

    Pre-Check
    Next up: 3 (More) Tech Solutions to Consider
  • More in Operations
  • 3 (More) Tech Solutions to Consider

    In this month’s Resource Guide, we laid out five cool tech solutions your small business desperately needs. But, as you might guess, there are a lot more than just five techie-related items you should be thinking about. So, without further ado, here are three more.

    In this month’s Resource Guide, we laid out five cool tech solutions your small business desperately needs. But, as you might guess, there are a lot more than just five techie-related items you should be thinking about. So, without further ado, here are three more:

    Share
  • Email
  • Compass Payroll

    Skype for Business  

    When Skype came on the scene, it was immediately embraced by the small business community as an opportunity to connect worldwide without needing a costly telecommunication system. Making free calls from your computer? Check.

    Obviously, Microsoft noticed Skype’s potential, too, because it eventually acquired Skype for Business to replace its former Lync messaging platform. Skye for Business offers capabilities for calling, conferencing, messaging and video.

    “It’s a game-changer,” says Michelle Tomallo, president of FIT Technologies. “You can connect with potential employees for interviews, or you can talk to staff who are working remotely. You can interact with clients that you might not get to see because of their locations or time zones.”

    Tomallo considers Skype for Business an “ultimate productivity tool.”

    “You can connect multiple users, it has video capability and you can send files right in the middle of a conservation,” she says.

    As for the messaging aspect of Skype for Business, the ability to ping someone in the office saves time, Tomallo points out.

     

    Data Analytics

    Knowledge is power. So if a retailer can gather insight on the people who walk in the store, the business can provide a better experience. Data analytics makes this possible, Franks explains.

    For example, free Wi-Fi with sign-in requirements (email or Facebook) can help build a log of who shops. “The biggest problem for one client is that they didn’t know who its customers were until they were out the door,” says Fred Franks, CIO at FIT Technologies.

    “So, then we step back and think, ‘What can give that business a strategic advantage?’” he continues. “One is to welcome customers when they walk in the door and know who they are. Or, to have a manger step out and say, ‘Hello.’”

    Franks says, “Information allows businesses to do more.”

    Businesses can track traffic and a whole range of trends, depending on the data analytics tools used. The actual tool depends on the business, Franks says, not naming a single solution. The key is to capture the power of information and use it to take customer experience to the next level.

     

    Instagram 

    For GPI Design, Instagram is a way for clients to stay engaged in the company’s design/build lighting fixture projects, says Fallon Korinko, senior designer. “Instagram is a social tool that keeps us in contact with customers,” she says.

    Here’s how: The GPI Design team takes pictures to document its process in the field. “We’ll start posting pictures to show the installation process,” Korinko says. Basically, GPI can tell the story through pictures, and clients get to watch and learn. They always know what’s happening on the project—and they can see how GPI’s work transforms a space. “It’s a way to show the progression of a project,” Korinko says.

     

     

     

    Pre-Check
    Next up: 4 Apps To Make Your Business Run More Smoothly
  • More in Operations
  • 4 Apps To Make Your Business Run More Smoothly

    Share
  • Email
  • Compass Payroll
    Next up: Tips for Your Business: 4 Benefits of Cloud Computing
  • More in Operations
  • Tips for Your Business: 4 Benefits of Cloud Computing

    More and more, small-business owners are taking at least a portion of their business to the cloud. That is, choosing to store information (such as accounting data, email storage) on third-party, off-site servers rather than at the business’ location itself. Why? The benefits of offsite cloud storage from solutions such as Microsoft’s OneDrive, are numerous, according to Fred Franks, Chief Information Officer at FIT Technologies.

    More and more, small-business owners are taking at least a portion of their business to the cloud. That is, choosing to store information (such as accounting data, email storage) on third-party, off-site servers rather than at the business’ location itself. 

    Share
  • Email
  • Compass Payroll

    Why? The benefits of offsite cloud storage from solutions such as Microsoft’s OneDrive, are numerous, according to Fred Franks, Chief Information Officer at FIT Technologies.

    Indeed, by the end of 2015, spending on cloud services could top $180 Billion, according to InformationWeek. Further, global cloud workloads are expected to grow at a compound annual growth rate of 35% between 2012 and 2017, according to ZDNet.

    With that in mind, Franks identified three key benefits small-business owners can expect when implementing a cloud computing solution.

    1. Cost savings. The biggest reason companies switch to the cloud is because of cost, Franks says. A company’s servers will eventually reach the end of their life, meaning the company will have to pay to have them replaced. Going with off-site storage takes that concern off the company’s hands.
    2. Flexibility. The cloud can also help make a company more nimble, Franks says. For example, it can be hard to guess how big the storage needs will increase in five years. What if the need doubles? Instead of having to  bulk up the IT equipment, the company can easily adjust its offsite server size. “It’s like buying a compact car as a newlywed, but you can scale it to a minivan with ease,” Franks says.
    3. Convenience. The added convenience of the cloud is also a big plus. “If you forgot to take your laptop home and you have a cloud service, you can bring it up on your smartphone, tablet or home computer,” Franks says.
    4. Security. Data hacks are becoming all too common across corporate America. Using a cloud-based service can help reduce those fears, Franks says. “Most organizations can’t afford the level of security that cloud computing systems implement,” he says.

    Want more expert advice? Check out COSE Expert Network, an online forum connecting business owners with creative solutions to the tough questions they face every day. 

    This article originally appeared in the August 10, 2015, edition of Small Business Matters.


    Pre-Check
  • More in Operations