What to Do When You've Been Hacked

Your response to a data breach can make or break your company's reputation. Five steps to take if your cyber security has been compromised

Written by Murad Hemmadi

Businesses of all sizes and in all sectors havefound themselves at the mercy of cyber criminalsof late.High-profile hacks like (thinkTarget and Ashley Madison) have opened the eyes of companies and consumers to thefact that data breaches areall too common.

Small businesses have become particularly popular targets for hackers, so now would bea good time to revisit your cyber security measures.But what if it’s already too late?Recently, we asked crisis management and cyber security expertshow to deal with the fallout from a data breach. Here are some of our favourite responses.

Focus on your customers

“You can absolutely win your customers back, but it’s what you do in the immediate aftermath of the data breach that’ll determine whether they want to have a relationship with you later on. You have to very clearly demonstrate what improvements you’ve made to your processes that ensure you’re not going to have another leak. And avoid making hasty promises. If you’re certain you can deliver on the promise, that’s fine. If the promise you’re making is really what you hope you can do, that’s not good. A promise you don’t deliver on is worse than not making one at all.”
—Jane Shapiro, SVP, national practice leader, Hill+Knowlton Strategies, Toronto

Dust off your crisis plan

“For small businesses, we recommend reviewing the crisis plan annually. There are three key components to any well-thought-out plan. Number one, you need excellent scenario forecasting. You need to be able to look ahead and identify where risks are coming from, and the probability of those risks materializing. After you’ve done that, you need to plan for what you do in that event and establish a chain of command. The last component is how you communicate the situation to the affected group. You’re trying to put some context around what’s going on, which is a lot different than minimizing it. Generally, people reject that. Ultimately, the aim is to allow customers and stakeholders the opportunity to contextualize the information on their own terms, and come to their own conclusions.”
—John Larsen, executive vice president, national practice lead, crisis & reputation risk, Edelman, Calgary

Alert the authorities

“When a data breach happens, the first thing you should do is notify the privacy commissioner in your province, since the federal Digital Privacy Act requires you to do so. There’s also a provision that allows you to work with the privacy commissioner on how to deal with the actual event. If you’re part of a large organization, you’re going to have to get legal representation to deal with potential lawsuits. Law firms specializing in privacy would have all the tools and processes in place. They’ll find out exactly how the breach happened, and who’s affected by it.”
—Victor Beitner, CISSP, President, Cyber Security Canada, Toronto

Craft your message

“Organizations have to understand which clients have been affected, and divide that list into groups. You’re going to have internal employees, business partners or stakeholders who will need a different message than clients and the general public. You want to make sure the message is tailored and focused based on the audience that you’ll be reaching out to. You also want to ensure you’re using the right vehicles to get that message out there. It could be a page on your website, or an update on social media. Some companies take a full-page ad in the newspaper. Ensure you understand your audiences’ needs and the best way to communicate with them.”
—Kevvie Fowler, partner, advisory services, forensic, KPMG, Toronto

Build defenses for next time

“Unfortunately once a breach is made, realistically, there’s very little that can be done to stop the bleeding. Focus on moving forward. You should re-evaluate steps and procedures, and figure out how to remove security risk for the future. It doesn’t take long if you engage an experienced data provider. Most businesses spend a significant amount of money on a one-time security investment and fail to continue updating it. We tell our clients to review once a year. That is the bigger challenge compared to the short-term goal of stopping the bleeding.”

—Erez Zevulunov, president, M.I.T. Consulting, Toronto

• • • • •

This article is from the December 2015 issue of Canadian Business.Subscribe now!


Have you changed your cyber security strategy in the wake of recent data breaches? Let us know by commenting below.

Originally appeared on