What to do when your company has been hacked

Data breaches are increasingly a fact of life for businesses. How you respond can make or break your company’s reputation


Wrecked desktop computer

(Lumina Imaging/Getty)

Every business can and should take steps against data security breaches, but mistakes and errors happen. No one can fully eliminate the risk, but you can reduce it as much as possible and plan to mitigate problems when they inevitably occur. We asked a team of experts for their advice on dealing with a damaging hack:

Dust off your crisis plan

“For small businesses, we recommend reviewing the crisis plan annually. There are three key components to any well-thought-out plan. Number one, you need excellent scenario forecasting. You need to be able to look ahead and identify where risks are coming from, and the probability of those risks materializing. After you’ve done that, you need to plan for what you do in that event and establish a chain of command. The last component is how you communicate the situation to the affected group. You’re trying to put some context around what’s going on, which is a lot different than minimizing it. Generally, people reject that. Ultimately, the aim is to allow customers and stakeholders the opportunity to contextualize the information on their own terms, and come to their own conclusions.”

John Larsen, executive vice president, national practice lead, crisis & reputation risk, Edelman, Calgary

Alert the authorities

“When a data breach happens, the first thing you should do is notify the privacy commissioner in your province, since the federal Digital Privacy Act requires you to do so. There’s also a provision that allows you to work with the privacy commissioner on how to deal with the actual event. If you’re part of a large organization, you’re going to have to get legal representation to deal with potential lawsuits. Law firms specializing in privacy would have all the tools and processes in place. They’ll find out exactly how the breach happened, and who’s affected by it.”

Victor Beitner, CISSP, President, Cyber Security Canada, Toronto

Craft your message

“Organizations have to understand which clients have been affected, and divide that list into groups. You’re going to have internal employees, business partners or stakeholders who will need a different message than clients and the general public. You want to make sure the message is tailored and focused based on the audience that you’ll be reaching out to. You also want to ensure you’re using the right vehicles to get that message out there. It could be a page on your website, or an update on social media. Some companies take a full-page ad in the newspaper. Ensure you understand your audiences’ needs and the best way to communicate with them.”

Kevvie Fowler, partner, advisory services, forensic, KPMG, Toronto

Build defenses for next time

“Unfortunately once a breach is made, realistically, there’s very little that can be done to stop the bleeding. Focus on moving forward. You should re-evaluate steps and procedures, and figure out how to remove security risk for the future. It doesn’t take long if you engage an experienced data provider. Most businesses spend a significant amount of money on a one-time security investment and fail to continue updating it. We tell our clients to review once a year. That is the bigger challenge compared to the short-term goal of stopping the bleeding.”

Erez Zevulunov, President, M.I.T. Consulting, Toronto

Focus on your customers

“You can absolutely win your customers back, but it’s what you do in the immediate aftermath of the data breach that’ll determine whether they want to have a relationship with you later on. You have to very clearly demonstrate what improvements you’ve made to your processes that ensure you’re not going to have another leak. And avoid making hasty promises. If you’re certain you can deliver on the promise, that’s fine. If the promise you’re making is really what you hope you can do, that’s not good. A promise you don’t deliver on is worse than not making one at all.”

Jane Shapiro, SVP, national practice leader, Hill+Knowlton Strategies, Toronto


Check out our previous series:

How to get every part of your working life organized

More than a third of Canadians feel overwhelmed at work because they have no system. Here’s how to get on top of things