No business nor individual is immune to a cyber breach yet I still hear many people telling me they don’t think they will be affected. They believe that their company does not have anything valuable enough to steal, but every company and individual have valuable data to a cyber thief that we might overlook. While we’re all focused on our money in bank accounts, cyber thieves are looking elsewhere. But before I lay out a breach recovery checklist, let’s not forget the following noteworthy breaches:
2013 Target – 70 million records compromised
2014 Ebay – 145 million records compromised
2014 Home Depot – 56 million records compromised
2014 JP Morgan – 76 million records compromised
2015 Anthem – 80 million records compromised
2016 IRS – 700,000 accounts affected
2017 Equifax – 145 million American accounts compromised including SS#s and driver’s licenses
2017 Yahoo – 3 Billion user accounts compromised
These are the some of the greatest hits in data breaches. Now ask yourself if you have any tie to any of these breaches. I would venture to say Yes! Perhaps you have not be compromised yet but is it only a matter of time?
Post Breach – Take Immediate Action
As soon as you know you have been compromised, take immediate action. Since weak passwords are involved with nearly every breach, create new, long and strong passwords using upper/lower case letters/numbers/symbols of at least 12 characters. If that sounds like too much to handle, use a password manager such as Dashlane to help you create and manage all those new passwords. It is important to also make sure you are not reusing any passwords across multiple sites. Despite endless warnings on the dangers or password re-use, it is still a tremendous problem that hackers gladly exploit.
If you believe your credit card was compromised, it is essential to immediately call your issuing bank. The majority of credit cards have a toll free number printed on the back allowing you to speak to an actual person to relay any suspicious activity. They will likely cancel and re-issue the card immediately to be safe. Time is of the essence as most credit card thieves move quickly to go on shopping sprees in the first few hours of stealing a credit card. Your liability exposure is $50 on a credit card (although they often waive that fee if you ask) and you have up to 60 days to dispute in writing any suspicious charges. Contrast this to a debit cards which only allow you 2 days to report fraud with a liability up to $500. This is another reason why I strongly discourage use of debit cards. In either case, regular credit monitoring and immediately reporting suspicious activity are paramount to security.
A good next step would be to contact one of the credit reporting bureaus and place a fraud alert to TransUnion (800-680-7289), Innovis (800-540-2505), Experian (888)-397-3742), or Equifax (888-766-0008). If you report a fraud alert (AKA credit alert) to any one of the credit reporting bureaus, they are all required to alert the other three bureaus anyway.
If you suspect your identity has been compromised, you may want to take a stronger step which is a credit freeze (AKA security freeze). Anyone whom you already don’t do business with cannot run a credit report on you or open an account in your name without your explicit authorization. To unlock your files temporarily, the credit agency will issue you a PIN. It is important to follow that up with a formal report of identity theft to the FTC.
If you have had your identity or credit compromised, you may opt to get a monitoring service such as LifeLock Ultimate Plus. This is not so much a preventative measure as it is an early warning service that scours the dark web for potential compromises and threats by cyber thieves. The idea is that the faster you can alerted to suspicious activity, the faster you can react to protect your digital identity.
When Your Company Is Hacked
As much as a nightmare it is to have your own identity hacked and stolen, having your company hacked can be its own nightmare orders of magnitude greater. Since you are dealing not only with internal company data such as financials, emails, passwords, but also the possibility of all your customers’ data, no post-breach steps required can be overlooked.
The first thing you need to do is to reach out to your customers and alert them immediately. In fact, the law requires that you inform any customers whom had data compromised. This can be difficult when organizations still have not fully ascertained what has or has not been compromised. It is more important to alert customers first so they can be prepared and you can work out the details later. This can help them avoid major financial damage as well as future class action lawsuits against your company. This alert should be followed up with a formal written data breach notification detailing all known compromised data and what to expect in the way of security responses and future correspondences.
Customer notifications should always clearly state what happened, how the damage has been contained, and any preventative actions put into place to prevent this from happening again. If your company does not have a clear understanding of what happened, they should hire an outside cyber security firm to carefully advise on the next crucial steps.
Laws vary from state to state on the level of transparency required as well as obligations to provide free credit monitoring for example. A breach of sufficient size requiring notification of over 500 customers may require filing a formal notice with your state attorney general’s office. Look within your industry to determine if specific regulatory bodies require additional filings. For instance, the healthcare services industry’s HIPPA requirements stipulate that if over 500 customers are affected, you need to notify prominent media outlets.
Companies should have a yearly incidence response plan annually updated which includes a game plan on response to a serious breach and key contacts that need to be informed to provide assistance including a 3rd party cyber security IT forensics group.
I recommend annual vulnerability assessments alongside penetration tests performed to identify vulnerabilities that in-house security and IT teams may overlook.
There may even be a need to notify federal authorities depending upon the scope of the breach and the industry you serve. With the aforementioned breaches affecting everyone, it is also prudent to further minimize risk by putting an effective cyber insurance policy in place. These policies become crucial after a significant breach as numerous legal expenses, forensic fees, customer credit monitoring fees are sure to follow.
This blog was originally posted on BMC.com