(Editor’s note: Chris Drake is CEO and founder of FireHost, Inc., a secure Web hosting company. He submitted this story to VentureBeat.)
The holiday season is critical to any customer-focused business – this year, more than ever. For start-ups, it can literally be a matter of life and death. Online shopping is expected to grow notably this year – so if you find yourself a victim of hackers, the fate of your company is very much in the balance.
When critical customer data (such as credit card information) is compromised, you have a 48 hour window that’s critical to getting your business back online, on track, and on safe ground.
Should your company fall victim to hackers this year, there are two important things to remember: Transparency and communication. It’s not just about restoring your Web site to a secure state but restoring your customer’s confidence to continue to shop with you.
Here’s how to handle things:
Step 1: Announce and assess (Timeframe: Immediately – 12 hours after the breach is discovered)
Immediately, get your site offline. Google has some specific recommendations regarding the best way to accomplish this.
Customers appreciate being notified as soon as possible, and they would rather hear it from you first. Plus, being the first to report the cyber crime lets you control the message. Concurrently, make a general public statement about what has happened and instruct all individuals (or companies) who have done business with your company to monitor their credit report and banking statements for inconsistencies.
Deliver the statement to all concerned parties via email and make sure to train all customer-facing representatives with the appropriate dialogue. Here’s a concise and effective example from Balmar Incorporated.
Step 2: Conduct a deeper investigation (Timeframe: 12 hours – 36 hours+)
Computer forensic auditors, PCI representatives, governmental agencies and others may be involved in the process depending on the nature of your business.
Start by interviewing all personnel responsible for securing your environment and find out if they are aware of any known vulnerabilities. Next, begin reviewing log files with the following specific goals in mind: Identifying the date(s) of the breach, how many customers were compromised and what information was stolen.
Step 3: Notifications and remediation (Timeframe: 36 hours – 48 hours – or as soon as you’ve pinpointed the problem)
Contact the police, FBI, and Attorney General with all the details you’ve compiled about the situation. This may sound severe, but forty-five states have enacted legislature that dictates who should be notified, and how, when personally identifiable information is leaked, and these governmental agencies will direct you on what information to divulge and what to keep private for their investigation. Government agencies are taking cybercrime very seriously these days. They want to help businesses curtail these events, so don’t feel silly bringing in the agents.
Concurrently, start technically remediating the breach. The exact steps you take will depend on the nature of the compromise, however these general rules of thumb almost always apply.
- Remove customer data from the compromised area of the database and move it to a separate, secure location.
- Back up your site, database and all log files. If possible, backup your entire server including all operating system files. This help forensics determine the breach.
- Perform a complete reinstall of the OS and your Web applications, and make sure to use the most updated software versions available.
- Reintroduce your Web site files to the hosting environment using a clean backup, free of any hacked content. Keep in mind, the only way to be 100 percent sure all affected code, links, comments, etc have been removed is to rebuild the site from scratch. If speed is of the essence, restore from an encrypted site version saved prior to the breach.
- Change your password scheme. Believe it. Most hacks result from weak or conspicuous user logins and password credentials, so start fresh with a new scheme and separate logins for each service – FTP, control panel, software admin, email.
- Run third-party vulnerability scans on your site. WhiteHat Security offers a SaaS solution that will uncover vulnerabilities that need to be shored up before re-launching your site.
Step 4: Relaunch
When you’re confident the site is secure and all vulnerabilities have been patched, launch and resubmit your site to search engines in the appropriate way so it’s crawled again ASAP.
Step 5: Communicate
You’ve worked hard to get your site secure and back online. It’s now time to tell your customers the efforts taken to ensure the security of their information is your number one priority. Not only do you need to honestly and transparently communicate the breach but confidently affirm that their information is protected to the best of your abilities. This final communication is what determines if your customers are going to ever buy from you again.
Step 6: Prevention – and “the aftermath”
Even after your Web site is back online and business has returned to normal, your work is not done.
You’ll be facing fines, payment card industry probation, forensic audits and remediation. It’s not uncommon for even the smallest of businesses to rack up five or six digit expenses between penalties and legal fees. Forrester Research estimates that mitigation will cost an average of $200 for each person/credit card account that is compromised.
In reality, the unanticipated financial expense and “negative time” invested in remediating a security breach (especially during a peak selling period like the holidays) could be enough to squelch your start-ups chance of ever becoming a successful medium-size or large enterprise. That’s why it’s extremely important to focus your limited and precious resources wisely.
Protecting your Web site may seem like a hefty cost up front, but if it’s where you do business, it could be a life-saving investment. Get your site prepared for the worst-case scenario, so you have one less stress weighing on you this holiday season.