How To Protect Your Small Business Against A Data Breach How much does a data breach cost your business and what can you do about it?

By Sergey Ozhegov

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur Middle East, an international franchise of Entrepreneur Media.

Shutterstock

Data breaches are a growing threat, vitally important for companies of all sizes and trades. According to Gemalto, 1,792 incidents were recorded throughout the world in 2016, which led to the compromise of 1.4 billion data records, which is 86% higher than in 2015.

A study by IBM and the Ponemon Institute shows that in 2016 the average damage from a data leak incident escalated to a record US$4 million. According to the opinion poll of info-security professionals during SearchInform Road Show 2016, most often companies lose data about customers (25%), technical information (18%), documents containing commercial and trade secrets (18%), and personal data (15%).

It should be emphasized that the culprit of a data leak can be either an external attacker or an employee of the company. According to the recent Dell End-User Security Survey, 72% of employees are willing to share confidential information. In the financial sector, this percentage is the highest - 81%. At the same time, 65% of the respondents indicated that among other duties they must insure the protection of confidential data. Causes of data leakage vary: from negligence and inadvertence to mercenary motives and industrial espionage. Nevertheless, the Dell survey shows that most employees violate safety rules, sincerely believing that it helps their companies and makes their work more efficient. And this happens even though 63% of the interviewed employees have been trained to improve their knowledge and skills in the field of information security.

Effectively, it is impossible to ensure 100% protection against data leakage. Moreover, it is unwise to rely on the fact that employees understand and correctly evaluate all risks associated with data leakage. Therefore, it is worthwhile to consider in advance what a company should do in the event of a data breach incident. Here is a high-level plan for that:

1. Don't panic
The most negative situation is when you learn about a leak accidentally - from loyal customers or from the internet, for example. It means that your security system does not work at all or isn't properly configured. If you have an opportunity to investigate the incident in hot pursuit - when the DLP system quickly discovers that the outbound traffic contains confidential information, for example - there is still a chance to right the ship. First and foremost, restart, accelerate, change, or even cancel the decisions and the business processes associated with stolen information. These measures would save company's money and allow you to proceed with further actions: investigation and mitigation of consequences.

2. Identify the culprit of the leak
This step is necessary because it will help to prevent similar incidents in the future. In a small company, you can ask IT specialists to check corporate mail, proxy server logs, and other traceable gateways. In medium and large companies, there is no alternative to powerful search algorithms of DLP systems. A modern company works with overwhelming amounts of information each day, and it is impossible to analyse it manually. In addition to a DLP solution, access control system, SIEM and video surveillance systems would help to reconstruct the chain of events and conduct a full-scale investigation.

3. Identify the instigator
Once the insider is identified, the next step is to find out the end beneficiary. In the event of a purposeful leak of information, with substantial evidence against the insider it is usually easy to prompt the insider to come clean and uncover the instigator. Once you have the full picture of the incident, you could start mitigating potential consequences.

4. Understand the problem and assess the impact
What kind of information left the perimeter of the company? Commercial offers, financial plan, customer base? Or a few documents marked "strictly confidential"? Determining the boundaries and significance of the problem at this stage is very important. This will serve as a starting point for further action. What's better, solve the problem of one's own bat or engage the law enforcement? If the information is really important, and the only security tools you have are the passwords for the employees' PCs, it is better not to risk and get any help available. If there are experienced professionals working in the information security department of the company, then in most cases it is better to try to calmly sort it out on your own.

5. Mitigate the consequences
There is no magic pill that would solve all the problems associated with data theft and leakage. Such incidents are individual, and so are the consequences and mitigation measures. However, there are some broad guidelines:

  • Understand what other information, besides the leaked one, could be compromised.
  • Report the leak to the impacted party. That is especially important when there is a high probability that people will learn about the leak themselves. Besides, it helps the affected party take some action to protect themselves. So, make sure to inform them.
  • In case the information about the leak has become public, make sure to launch a PR campaign to diffuse the impact of the leak. If you don't have any PR specialists, hire an agency. Be open with the media and tell the audience about the measures that you're taking to prevent such situations in the future. This will show the customers that you care about them.

Related: Combating Cyber Crime: Your Company Needs To Be Resilient

Sergey Ozhegov

Chief Executive Officer of SearchInform

Sergey Ozhegov is a co-owner and the CEO of SearchInform, a technological information security company focusing on protection of business and government institutions against data theft and other harmful activities. He joined SearchInform in 2004, after graduating from the Faculty of Mechanics and Mathematics at Belarus State University, and spent several years working in sales and business development before he was promoted to the position of CCO in 2009, eventually becoming the CEO of the company in 2015. 

Growth Strategies

Sulaiman Abbar on Boxing, Business, and Building a Legacy in Saudi Arabia

"The principles I've learned in the gym carry over into the business world, allowing me to manage both with precision and purpose. This balance is something I hope others can relate to—finding what drives you and pursuing it without compromising other important aspects of your life."

Side Hustle

This 24-Year-Old's Creative Side Hustle Surpassed $1 Million in Sales: 'Definitely Doing Something Right'

Content creator and actor Alyssa McKay saw the perfect opportunity to innovate.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Starting a Business

The 5 Fears Every Entrepreneur Must Face — and Overcome

Entrepreneurship is full of fears, from failure to success. This article explores the five common fears entrepreneurs face and offers practical strategies to overcome them, turning obstacles into opportunities.

Entrepreneurs

Startup Spotlight: UAE-Based Lisan's AI-Powered Proofreading Platform Guarantees Error-Free Arabic Writing

The 12 products Alasadi alludes to aim to correct 12 specific types of errors, which include spelling, grammatical, morphological, semantic, and stylistic errors, as well as mistakes related to checking quotations and proper names.