Hackers are an insensitive breed, with no respect for violating other people’s finances and personal business dreams.

Like pickpockets stealing wallets, they steal usernames and passwords to get access to credit lines, bank accounts, and payment processors. Like con men, they look for data that will allow them to steal someone’s identity, using this stolen personal information to commit crimes. Like hijackers, they like to break into other people’s computers and then use these systems as a base to attack other computers online.

Why Hackers Target Small Businesses

Hackers like to target small businesses because they know that they probably don’t have virtualization security and can’t protect their data with the real-time response tools used by big companies.

A Forbes article by Pragati Verma covers one disturbing example of what can happen to a small business after a hacker attack:

“In January 2013, 80sTees.com was notified by Discover that cardholders that had used the 80sTees.com site had experienced suspicious transactions on their credit card accounts. An initial investigation by 80sTees.com didn’t find any evidence of intrusion, but the company later heard from Visa and MasterCard with the same concerns. Finally, they discovered that the personal data of thousands of customers had been put at risk.”

The attack, said CNBC, cost the small business $200,000. This six-figure loss does not include opportunity cost—the amount the company could not earn during the time its business services were frozen.

What Can Be Done?

After a security breach, emotions run high and it can be difficult to restore order. If your business experiences a security breach, the following five guidelines will give you a framework on how to handle the legal, technological, and public relations ramifications after an attack:

1. Investigate the crime.

Who did it? When? And how? It’s essential to get a comprehensive account of what happened, as well as deduce how the hackers got in, which computers they accessed, which accounts they looted, and who has been affected.

Like any crime, it’s sometimes difficult to recreate the scenario after a data breach. While it’s possible to get clues from a web host, a security company, and an Internet service provider, local law enforcement computer divisions and the FBI can also do a forensic analysis.

2. Get expert legal counsel immediately.

If you don’t have insurance, you will have to hire your own lawyer.

There are three reasons why you must get the best legal representation fast:

First, you will be under a legal obligation to inform all parties affected by the security breach.

Second, you will have to notify state authorities. Since it’s unlikely that your customers are only from one state, the breach will have affected customers nationwide. Since there is no federal agency to handle the security breach notifications, you will have to work through each of the different state laws.

Third, you may not get much sympathy from partners, vendors or customers. In many cases, the victims place the blame on the business for not having tighter security measures (even if this is not true). You may be faced with a barrage of liability lawsuits.

3. Be as transparent as possible.

It’s often tempting for business owners to downplay the extent of the breach to prevent the panic experienced by the victims—partners, employees, and customers. However, once the information leaks out, panic turns to rage, and this is often directed toward the small business.

It’s important to remember that at this critical stage, emotion prevails over logic. Although the business owner is also a victim, he or she is blamed for carelessness in implementing security measures and duplicity for not sharing exactly what happened and what is being done to fix the problem.

So, at this point, it’s important to communicate as early as possible. All follow-up communication also has to be done quickly, honestly, and as clearly as possible.

Here are the basic steps to ensure transparency:

  • Admit any fault and accept full responsibility.
  • Provide full details and explanations.
  • Summarize what happened in plain language, avoiding technical complexity.
  • Describe what steps are being taken to clean up the issue and what preventative steps are being taken to prevent this from happening in the future.
  • Create an open dialogue with all those affected, which includes expert legal and IT representation.

4. Clean up the mess.

After a breach, there is a mess to clean up. This may disrupt business operations and be expensive, but it can’t be avoided.

Common clean up processes may include:

  • Identify and take out breached computers.
  • Shut down the website and discontinue any other payment processing (for example, phone orders).
  • Reformat hacked computers.
  • Restore data from a clean backup.
  • Buy new computers if damage is too extensive.
  • Patch any flaws to the software being used.
  • Secure all accounts with new, complex passwords.

5. Restore your reputation and rebuild your infrastructure.

Make the technological and policy changes necessary to reassure all parties involved that this incident will not happen again. New policies should include employee training on security measures.

Protect and Prepare

Protecting sensitive data is not just an IT challenge, but also a business one. Small businesses need to protect their infrastructure against all possible threats and also prepare a data breach recovery plan.