5 Steps to Dealing with a Data Hack in Your Ecommerce Business
- Written by Dakota Murphey
Any kind of cyber security breach can be a serious problem for an ecommerce business. From startups to large corporations, any organisation can be the target of an attack. And if it’s successful you stand to lose sensitive data, money and your reputation. And it can be super costly. According to data compiled by Zurich, around a fifth of businesses hit with cyber-attacks lost more than £10,000 - and one in 10 lost more than £50,000. Acting quickly to reduce damage and prevent it happening again is essential if you’ve been hacked. So here are five steps to recovery following a business data breach.
- Establish if it’s a genuine hack
The first thing you need to understand is whether this is a real breach or just something that looks like one. It's essential that your business is able to distinguish between genuine hacking attempts and false alarms. But it's also unfortunately common that many forms of security software and technology generate thousands of alerts. Many of which can be phantom alarms, like this experienced by Windows users:
Sophos false positive detection ruins weekend for some Windows users https://t.co/8JOe2SOUmU via @CSOonline pic.twitter.com/DilHtH65I1
— Network Box USA, Inc (@NetworkBoxUSA) September 7, 2016
When staff see a huge number of security alerts (with many being ‘false positives’) they can overlook or miss genuine threats. So all security alerts need to be investigated, rather than to assume they are the product of an over-sensitive firewall. If there is a genuine breach you need to know about it as soon as possible, so take the time to look into the evidence behind a security alert and make an informed decision.
- Investigate the extent of the breach
In the event of a genuine breach of your IT network, you first need to spend time establishing exactly what happened. This can be a complicated and challenging process. But it's essential that you ascertain the extent to which your system was compromised, whether data was stolen and how the hack was able to occur. There are too many examples of companies announcing that they have been hacked – only to reveal days or weeks later that the extent of the hack wasn’t originally understood. This can lead to a business looking incompetent twice for the same incident. Equifax gained repeated bad PR for their infamous 2017 US data breach as they seemed to continuously revise the extent of the hack. They then had its one year anniversary noted across Twitter:
Over 145 million Americans had their personal data stolen by #Equifax hackers one year ago today. Families are watching their finances disappear and credit scores shrink as thieves continue to open phony accounts. https://t.co/wvXL1xYBwn
— Ron Wyden (@RonWyden) September 7, 2018
And it even resulted in new legislation being passed:
Tomorrow marks 1 year since @Equifax compromised the data of 148 million Americans. Like many people, I tried to freeze my credit after the hack. It was a difficult (& painfully boring) process. I introduced the FREE Act to let people access & freeze their credit file at no cost. pic.twitter.com/8bXPY5BXw9
— Elizabeth Warren (@SenWarren) September 7, 2018
- Use specialists to fix it
Your next step is to resolve the incident to ensure that the attack is stopped and its impact minimised. For smaller businesses and those that don’t have in-house incident response specialists on-hand, it's essential to get in contact with cyber security experts to help investigate and manage the incident and avoid exacerbating the situation. It may even be worth keeping a cyber security firm 'on retainer' if your business deals with particularly sensitive data. Benefits include:
- Saving on costs. Paying for in-house security teams or for someone to tidy up a breach after it occurs can be expensive.
- Vigilant monitoring. So you always have someone who's up-to-date on new vulnerabilities and security threats.
- Quick, expert reaction. If any breach does occur, you'll have a professional ready and waiting to quickly fix it.
Skilled cyber security professionals (such as London-based specialists Redscan) will be able to analyse the attack using the latest digital forensic techniques. This helps establish everything needed - from which systems and data have been compromised to the user accounts used to gain access to data.
4) Understand your GDPR responsibilities
With the General Data Protection Regulation (GDPR) in effect from May 2018, all companies that handle personal data relating to EU citizens need to comply with stricter rules surrounding how they process and protect that data:
In a nutshell: Companies need to take more responsibility for personal data they hold. And one of the key requirements is that they have to notify a relevant Data Protection Authority within 72 hours if there has been a breach that could pose a risk to individuals. If your organisation has suffered a breach and is unsure of its legal responsibilities to customers, clients or other business partners you should seek expert advice as soon as possible. No company is above the law – as it was revealed when Facebook were fined by the UK's ICO for data breaches:
"You've been found to have broken the law, in a very serious way."
Krishnan Guru-Murthy challenges Facebook after they were fined £500,000 for data breaches. pic.twitter.com/bBcE2mpmUU — Channel 4 News (@Channel4News) July 12, 2018
- Prevent it from happening again
After an attack, it is imperative that you learn from the incident and implement appropriate controls and procedures to mitigate the risk of it happening again. Don’t assume that just because you've been attacked once, it's unlikely to happen again. The number of cyber-attacks rises every year and your business is just as likely to be re-targeted. It may be the case that you need to invest in new systems, processes and/or personnel to help improve your organisation’s cyber security posture. Commissioning regular data security assessments, such as penetration testing, is a key way to understand your organisation’s vulnerabilities and tighten defences before they're targeted. Improving threat visibility through the use of the latest intrusion detection, behavioural monitoring and machine learning technologies is also important and can significantly enhance the speed and efficiency of incident response. What are your thoughts on cyber security for ecommerce sites? Have you ever experienced a data breach? If so, how did you recover? Let us know in the comments below.