Plan of Attack
Shoring up your business against ransomware and cyberattacks
Your small business might be able to withstand one strong gut punch, but two? If your business isn’t taking cybersecurity seriously, then that’s likely what you’re setting yourself up for, according to new research from the Boston-based cybersecurity firm Cybereason that paints an alarming picture of the threat facing businesses.
Cybereason’s survey found that 80% of cyberattack victims who gave into ransom demands eventually faced another attack, and 46% still lost some or all of their data because it had been corrupted. The survey polled 1,263 cybersecurity professionals in a number of industries from the United States, United Kingdom, Spain, Germany, France, United Arab Emirates and Singapore.
Last year alone, the FBI’s Internet Crime Complaint Center received 2,474 complaints identified as ransomware, with adjusted losses exceeding $29.1 million, an increase of 225% over the prior year, according to the agency.
For every headline-making attack such as the Colonial Pipeline and the JBS meat-processing company, there are countless attacks noticed only by small businesses and their customers. Ransomware attacks on businesses happen every 11 seconds on average, with global damages projected to reach $20 billion this year, according to Cybereason.
Other key findings from the survey include:
- 81% of respondents are "highly" or "very" concerned about ransomware attacks
- 66% of organizations reported a significant loss of revenue following a ransomware attack
- 35% of businesses that paid ransom spent between $350,000 and $1.4 million, while 7% paid even more
- 53% indicated that their brand and reputation were damaged by a successful attack
- 32% reported losing C-Suite talent, either by firing or resignation, due to ransomware attacks
- 29% reported being forced to lay off employees following a ransomware attack
- 26% said a ransomware attack forced the business to close down at least temporarily
Ed Graves, the SPFA’s cybersecurity expert, said the threat to member companies extends beyond the typical denial-of-service attack, in which companies lose access to their data and must pay ransom in cryptocurrency to get it back. Graves, owner of the Maryland based cybersecurity firm EG2 Digital, said hackers search files for embarrassing information about the business or its executives and then blackmail them to keep it secret.
In some cases, hackers send fictitious invoices to a business’s clients with special instructions on how to pay them, Graves said.
"There’s an all-out war going on," Graves said. "The problem is multifaceted, but it really boils down to a lack of data protection. A lot of small and midsized businesses aren’t even aware that their business ID is being stolen and replicated in the same way that a person’s identity can be stolen and replicated, and hackers are using that information to really disrupt business practices. This issue affects every industry, from big companies down to the mom-and-pop shop."
The threat to SPFA members and other small businesses is persistent and growing, but there are many steps they can take to help shield themselves from cyberattacks. Here are the top 10 tips from the Federal Communications Commission:
- Educate employees about the threat. Establish basic cybersecurity practices and policies for workers, such as requiring strong passwords, and create internet usage guidelines that include penalties for violating cybersecurity policies. Establish rules for how to handle and protect customers’ vital data. Train employees to recognize fishing scams that send fake emails to workers encouraging them to click on a link.
- Establish a defensive perimeter. Keep machines clean by having the latest security software, web browser and operating system. Set antivirus software to run a scan after each update. Install other key software updates as soon as they’re available.
- Provide firewall security for your internet connection. A firewall prevents hackers from accessing data on a private network. Make sure the operating system’s firewall is enabled, or install free firewall software available online. If employees work from home, be sure their home systems are protected by a firewall.
- Create a mobile-device action plan. Mobile devices create significant security and management challenges, especially if they contain sensitive information or can access the corporate network. Require workers to passwordprotect their devices, encrypt their data and install security apps to prevent hackers from stealing data while phones or laptops are on public networks. Be sure to establish reporting procedures for lost or stolen equipment.
- Create backup copies of important business information. Regularly back up the data on all computers, including word-processing documents, spreadsheets, databases, financial files, human resources files and accounts receivable/payable files. If possible, back up data automatically, or at least weekly, and store the copies either offsite, on an external hard drive or in the cloud.
- Control physical access to your computers, and create user accounts for each employee. Prevent access to business computers by unauthorized people. Laptops are attractive targets for thieves or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee, and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
- Secure your Wi-Fi networks. Make sure your workplace Wi-Fi network is secure, encrypted and hidden. To hide it, set up your wireless access point or router so it doesn’t broadcast the network name, known as the Service Set Identifier (SSID). Password-protect access to the router. Make sure it offers WPA2 or WPA3 encryption and that it’s turned on.
- Employ best practices on payment cards. Work with banks or payment processors to ensure the mosttrusted tools and antifraud services are being used. Businesses may also have additional security obligations pursuant to agreements with their banks or processors. Isolate payment systems from less-secure programs, and don’t use the same computer to process payments and browse the internet.
- Limit employee access to data and information, and limit the authority to install software. Don’t give any one employee access to all data systems. Employees should only be given access to the specific data systems needed for their jobs and shouldn’t be able to install any software without permission.
- Be vigilant about passwords and authentication. Require employees to use unique passwords, with a mix of numbers, capital letters, lowercase letters and special characters, and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
Graves offered three additional tips for SPFA members.
First, those with an IT department should periodically conduct a cybersecurity risk audit, referring to the Cybersecurity Framework provided by the National Institute of Standards and Technology. Smaller companies should consider hiring an IT consultant to perform this relatively low-cost service and identify any security vulnerabilities.
Second, businesses should form a plan for running the business and notifying customers if they experience a breach. The Federal Trade Commission provides a useful manual, "Data Breach Response: A Guide for Business."
Third, businesses should ensure they’re adhering to the best practices recommended by their software and technology platforms.
"Finish securing that administrator console and going down those checklists," Graves said. "That’s very important. I know of several businesses that experienced an attack, but they had never fully implemented their software and didn’t have an internet usage policy, so their insurance companies said they were under no obligation to pay their claim, and that’s devastating for those businesses."