What Should You Do When a Security Incident isn’t Obvious?

When it comes to managing your small business, things are supposed to be simple, right? It’s not like you’re having to manage employees and customers like on a corporate scale. But sometimes, something small just seems off. For example, maybe a login from a place nobody works, a file that got downloaded at a weird hour, an admin setting that got changed, or a spreadsheet export that doesn’t match the usual pattern. Well, these seem small enough to a degree, right?

But you have to keep in mind here (and this very well could be the trickiest part) is that a lot of security incidents out there don’t necessarily start with these giant red flags. Sure, sometimes, but usually it’s more like breadcrumbs, that’s how small and unobvious they are. And the problem here is that small businesses can’t afford to shrug at breadcrumbs, because one ignored breadcrumb turns into a long week.

You Need to Start with “What Changed?”

Alright, don’t play the blame game here when it comes to security risks; there’s no time for that right now. So, one thing to keep in mind here: the fastest way to waste time is to treat this like a mystery novel. But the other thing here is that when a security issue isn’t obvious, the first job isn’t assigning blame; this can’t be emphasized enough here. Instead, what you need to do is just try to figure out what actually happened in the first place. 

What account logged in, what device was used, what location showed up, what file was touched, what export happened, what permission got updated. You get the point here, but all these need to be checked. While sure, it makes total sense to immediately think “Who did this,” you’re honestly better off (at least for the timebeing) to think “What happened, in what order, across which systems.” That at least makes things a bit calmer.

Can You Lock Down Access?

Well, if you can, that would honestly be great. But yes, the next part needs to be containment if you’re able to. Some things are easier than others here. Like, reset passwords for impacted accounts, enable multi-factor authentication if it’s not already on, revoke sessions, and review admin access, but do it in a way that doesn’t accidentally knock out payroll, customer support, or point-of-sale tools. 

And of course, this is also where small businesses get tripped up, because there’s usually one person who “knows all the logins,” and that person is also doing ten other jobs (that’s usually pretty common for small businesses at least). 

Try and Build the Timeline ASAP

So, the most important thing, and the part people skip when they’re stressed, is documenting a timeline immediately. It’s going to massively help to pull the login logs, export history, file access records, email forwarding rules, and any alerts from whatever security tools are in place. 

Save screenshots or exports of what’s being seen, because logs and dashboards change, and nobody wants to argue later about what was visible on what day. If you use eDiscovery Technology for your business, then the scavenger hunt got a lot easier because you (and your team) will be able to look at files across multiple platforms, too, to help build context. But ideally, all of this needs to be done ASAP, because people’s memories start getting fuzzy, which could mean “I don’t know”, “I don’t remember”, or just the wrong piece of information is being given to you. 

Figure Out What Was Accessed

While yes, suspicious logins matter a lot, the problem is, they’re not the whole picture. The real business risk is what access is enabled. Were customer lists downloaded? Were invoices exported? Were contracts opened, were internal docs accessed, were password reset emails triggered, were new inbox rules created, did an account grant itself more permissions? It’s tedious, sure, but you need to look into it.