It seems like every day consumers are learning of data breeches from companies like Sega, Sony and Google. Major corporations like these tend to have the funds and resources to recover from an attack, but for small businesses, that’s often not the case.
A slow response and lack of communication with customers are among the missteps many small businesses make when facing an attack, both of which can cause irreparable damage to the business.
“When consumers are a victim of ID fraud based on interaction with a small business, 1 in 3 never come back,” said Phil Blank, senior analyst for security and fraud at Javelin Strategy & Research.
While data breaches hitting major banks and corporations tend to dominate headlines, small businesses are increasingly becoming targets. Hackers like to prey on small businesses because computers and mobile phones tend to be used for both work and personal use, and many small businesses don’t have an IT staff monitoring and protecting operations.
According to Javelin, small business fraud totaled $8 billion in 2010. Of that, banks, merchants and other providers absorbed $5.43 billion of the loss while the cost to victims was $2.61 billion.
Although the first line of defense against an attack is to have proper procedures and policies in place, if it does happen, there are steps that need to be taken immediately to mitigate the impact. The experts advise owners’ first step should be to communicate with customers quickly.
“You don’t have a large amount of time between a hack and when you tell a client,” said Blank at Javelin. That doesn’t mean you have to tell clients within a day of it happening, but you shouldn’t wait a couple of months either. Blank said customers should be notified within a week of the hack. “If people know within a week they have the ability to do something about it.”
To ensure the small business is communicating correctly to the customers, John Sileo, founder of ThinkLikeASpy.com and a professional identity theft speaker, said a small business owner should get professional help, whether it’s a privacy lawyer or a company that deals with data breach responses.
Each state has different laws and regulations pertaining to data breaches and a data breach company will be well versed in the rules governing the states. “This is too big for a small business to handle internally,” said Sileo. “They could end up making some legal choices without knowing it that can get them in hot water.”