Yahoo revealed last year that the company had experienced a major customer data theft in 2013. Potentially one billion accounts were impacted, according to CNN Money. This announcement came just three months after the New York Times reported data from at least 500 million Yahoo accounts was stolen in a separate breach. FBI officials think the second attack originated with a successful spear phishing email to a Yahoo employee, according to tech news site Ars Technica.
As a result of the Yahoo phishing attack and stolen data, the company's reputation took a major hit. When Verizon eventually acquired it, the deal closed for $350 million less than the original sales price, Bloomberg Technology reports.
If a company falls victim to an email phishing scam, it can be expensive to remedy, both for the company and their IT consultant. Let's see how you can help your clients recover from a cyberattack and protect your business from the fallout.
1. Create a Game Plan in Advance for Handling Client Breaches
Phishing attacks and potential data breaches are a very real threat for any business, no matter how small. That's why it's important to discuss breaches with clients – before they happen. (Related reading: "Why Protecting Your Clients against a Phishing Attack Is Good for Your Bottom Line.")
"Service providers can certainly find themselves front and center during a breach, whether or not they were cause to it," says
cofounding partner of cybersecurity firm
He recommends putting together a data breach strategy in advance with all new clients so you're both ready when the worst happens.
"It's always a good idea for the parties to war-game potential breach scenarios together. That way they understand how they can collaborate to resolve such issues rather than creating defensive positions," says Pelletier.
Norton agrees with taking the time to assess the potential risk not only for customers, but for your IT firm as well.
"Today's IT firms need to be thorough when dealing with cybersecurity," says Norton. "Possibly the best way to protect your IT business is to do a proper risk assessment. A risk assessment includes the customer principals and stakeholders. By documenting each foreseeable risk, classifying data, and documenting customer decisions on risk acceptance and mitigation, you will show due care in protecting your customer."
That legwork can bolster your defense if you're sued over a client's breach.
2. Understand How Clients May Respond to a Cyberattack
Your clients may not be major companies like Yahoo, which means a cyberattack can be even more devastating for them. Small businesses don't have the deep pockets, and if they get breached, it could put them out of business.
Let's say your client experiences a data breach as a result of phishing email. Depending on the data stolen, it could cause serious damage. (Related reading: "What Is Phishing and How Has It Evolved?")
"For a customer, the fallout of a breach can be anywhere from a tarnished reputation or bad press to federal fines and restitution, depending on the type of data and information disclosed," says
part owner of
TelStrong Business Communications
(@telstrong), a managed IT services business.
If this is the first time a customer has been phished, it could be a shock for them.
"We often help clients for the first time after they experience a breach, which can certainly be an eye-opening experience for them," says Pelletier.
Pelletier says what happens next depends on how extensive the damage is.
"The fallout for them can vary from mild embarrassment to the prospect of shutting their doors if the issue is severe enough," says Pelletier. "That's how vast the fallout can be. Fines and penalties can be substantial, but from a business perspective, I think that trust and possible market share is the greatest liability a company can experience. Losing a customer not only hits the bottom line – it can sometimes prevent prospects from trusting you with their business."
3. Help Clients Assess and Contain the Aftermath
If a client is breached, your first step is to assess the situation. From there, it's important to keep your client focused on resolving the situation as quickly as possible. Only once you've stopped the data leak, should you try to determine the breach's origin, cautions Pelletier.
"Often times the most valuable part of our initial engagement is bringing order to chaos and moving the organization from disbelief to action," says Pelletier. "We have to get them past their immediate desire to know what happened and what was affected and get them to focus on containing the incident to prevent further damage. This is not easy, particularly when they know the potential legal and regulatory fallout can be substantial, but understanding the full scope of the incident and containing it must first be addressed. Otherwise, a recurrence of, or further damage to, the same issue is not only likely – it is almost assured."
Once that's taken care of, Norton says it's important to document exactly what happened.
"After the breach, the best thing to do is have someone capable of incident response," says Norton. "A cybersecurity professional will be able to secure evidence so that an investigation can be carried out."
4. Carry Cyber Liability Insurance in Case You're Sued
One unfortunate aspect of a client's data breach is that you may get blamed for it, even if it's not your fault. If a client sues, the third-party Cyber Liability Insurance (usually included in your Errors & Omissions Insurance) can help pay for your legal defense.
To mitigate your risk of a cyber liability lawsuit, though, educate your customers about the steps they can take to protect their business from cyberattacks. Feel free to share our eBook Small Business Guide to Identity Theft Prevention and Data Security with them. It is designed for small-business owners and offers pointers on how they can protect their data.
About the Contributors
is part owner of TelStrong Business Communications
. Mark partners with small- to medium-business owners in the Dallas / Fort Worth area to provide a secure, efficient, and agile computing environment. With almost 30 years in the IT Industry, Mark is as security evangelist who specializes in explaining technical issues to non-technical individuals. TelStrong Business Communications is an MSSP that provides small and medium businesses with security, infrastructure, desktop / server and voice solutions.
is a recognized security leader known for developing pragmatic and precision-based security and risk management solutions for organizations on a global scale. He is a partner with Pondurance
, LLC, a leading information security services provider based in Indianapolis. Ron is certified in multiple disciplines relating to information and asset protection, including Certified Information Systems Security Professional (CISSP), Certified Business Continuity Professional (CBCP), Certified Information Systems Auditor (CISA), Certified Computer Forensics Examiner (CCFE), and Certified Ethical Hacker (CEH).