This article is intended to help any SMB owner/operator secure its company’s data, with seven specific recommendations. But first, a story to explain why it’s important in the first place.
My mother ran a corporate meetings and events business for over 20 years. One day her CFO called in a panic, “I can’t print checks through the accounting software and the accounting data isn’t displaying right in the reporting mode”.
Fast forward, it turns out that the accounting software was hit with ransomware, specifically a file extension virus called LockBit. All her accounting files were encrypted, meaning the files couldn’t be accessed.
The company then received an email that read something like “You’ve been hacked, now please call this number XXX-XXX-XXX to pay and the files will be un-encrypted” At-least the hackers said please!
How did this happen? To this day, we don’t know exactly, but there were a few proposed causes: the CFO may have opened a wrongful email with a link (commonly referred to as a phishing scam) or the company’s firewall may have been compromised and never patched by the existing outsourced IT service provider (meaning never fixed/updated) and the hackers stole logins and passwords as a result.
While this isn’t an article about what to do after a ransomware attack, here are a few tidbits: The company had cyber-insurance and had to pay the hackers (I’ll get to this later), the company had to pay an external cybersecurity firm to do remediation (a series of efforts to detect, contain, and restore) in this case, to clean the accounting files and data, and the company had to switch from an on-premise server to a cloud-hosted provider (I’ll get to this later as well, but think Google Cloud Project, Microsoft Azure, and Amazon Web Services)
So, what can you do? Here are seven recommendations effective immediately:
1. Change your mindset about security. Think about the security of your small business as risk mitigation. You must get comfortable with the fact that you can’t eliminate all threats or attacks, but your goal is to reduce the likelihood, its impact, both financial and operational, and make decisions that reflect this.
2. Buy security software. If you don’t know where to start, maybe ask another small business owner/operator for recommendations. If you want to learn about the software on your own, there are many software review sites for SMBs like SoftwareAdvice, GetApp, G2 Crowd, Capterra, and many others that will help provide a potential list of security software to explore and even connect you with an expert. You can also hire an outside IT or security firm to take this off your plate.
3. Train your team. In the story above, there is a high likelihood that a member of the team wrongfully clicked a link in a phishing email that then allowed the hackers to get access to logins/passwords. It’s important to train your staff on how to identify these emails and the dos/don’ts. You can more easily hire an IT firm to train your team and/or you can buy a “security awareness training” software to achieve the same outcome.
4. Setup online backups. Make sure your databases are backed up multiple times per day. In case you are hacked, you have a way to clean and restore from your last backup. Talk with your internal IT personnel or your external IT firm about this.
5. Update your operating system. In the story above, this was done after the fact where the company had to make the switch for better protection in the future. Switching to a cloud provider like Google Cloud Project, Microsoft Azure or AWS allows your small business to get top-level security protection used by the largest companies in the world. Make sure to issue updates to these operating systems, and don’t ignore them, because new security protections are being administered in these updates.
6. Passwords and Multi-factor authentication. Require employees to create complex passwords that are unique. To protect your network, there needs to be multi-factor authentication in place, so that your employees use a combination of passwords and random codes generated by text message. You can talk to your internal IT personnel or an outsourced IT firm about this.
7. Get cyber insurance. Going back to #1, nothing is foolproof. Technology is changing so fast that cybercriminals have the advantage. So, having protection in the event you do experience a ransomware attack is always preferred. This protection will give you piece of mind and mitigate liabilities to your SMB.
By no means is this list exhaustive, but it’s intended to bring awareness and support discussion with your small business team!
