Skip to main content

Small business advice: How to create a cybersecurity emergency plan

Every other week, On Small Business reaches out to a panel of young entrepreneurs for answers to some of the most pressing questions facing small business owners. The following responses are provided by members of the Young Entrepreneur Council (YEC).

Q: Does your company have a plan to handle a network breach or loss of customer and employee data? If so, what does it entail?

Raphael Ouzan, CTO and founder of BillGuard in New York, N.Y.

“A common misconception is that putting up defense to close security vulnerabilities is enough. But the nature of the problem at hand is such that there will never be a system that cannot be penetrated. Every software from the operating system layer up to the application layer can be tampered with, given the appropriate resources.

This is why, after reinforcing your cybersecurity defense, the focus should shift to monitoring and alerting. In most cases, you need to cope with significant up-front investments to enable tracking and alerting to irregularities in network and data activity. At the time of a breach or a loss of data, this monitoring information will be the key factor determining your ability to even be aware of the problem, let alone pinpoint the issue.

Rare are the companies that actually take the time to set up a plan for such extreme events. However, reaction time is what often determines the gravity of the incident and the resulting brand damage. A good disaster recovery plan should provide a clear procedure to pinpoint and close the vulnerability in question, including the involvement of third-party security experts ready to jump in when needed. It should also provide a well thought out disclosure plan to partners and customers.

Even when the data breach is communicated quickly, companies often fail to provide meaningful information to protect consumers. That’s why BillGuard has built technology to identify merchants that have recently suffered a breach and proactively alert customers to the steps they need to take to protect themselves from potential identity theft or financial loss. ”

Matthew Ackerson, founder of Saber Blast in New York, N.Y.

“At PetoVera and, we’re unique because we do not have a formal plan in place, nor do we expect to implement one in the future. This is because if there ever were a breach, we would respond in accordance with the principles that connect our core values to our actions.

For instance, one of our core values is “Productive Fun” and a principle attached to that is “Be transparent.” Our response would likely come in the form of (1) informing clients via email and phone, (2) posting ongoing updates on our blog, until (3) all security holes had been patched, at which time we would send a final email to our clients. The final email would explain openly what happened and what had been done to fix it. Action and response, especially when it comes to a security breach (which can be publicly embarrassing to admit fault for) should always be directed by a strong set of principles.

If you have a culture at your company that is committed to a core guiding philosophy, drafting lengthy policy plans and documentation isn’t necessary — and should philosophy ever fail, we also back up our data multiple times, in multiple places!”

Matt Mickiewicz, co-founder of in Vancouver, Canada

“Absolutely, we have a plan. We were burnt on this shortly after we launched. Fortunately, we were a lot smaller back then. We now give great focus to this sort of planning, which puts us in a good position for our current growth trajectory. It loosely involves:

1. Shutting down the breached system

2. Assessing the extent of the breach

3. Defining who will be contacted when a breach is suspected of occurring (everyone from management and law enforcement through to impacted customers depending on the severity of the breach)

4. Identifying the cause of the breach

5. Closing the vulnerability

6. Testing then restoring the system where possible.

We drafted our plan based on industry best practices. We’ve invested heavily in policies and processes that reduce the chances of this happening and have consistent monitoring the expedite the identification of a breach so as to minimize its impact.”

Re-posted from the Washington Post.