It’s no secret that small businesses have been targeted by cyber-criminals. According to the Thales Data Threat Report 45% of business were attacked in 2021. And this number keeps growing. Ransomware malware, viruses, and phishing cost US businesess $445 billion last year.
In 2014 I experienced the fallout of a cyber attack when a club that I managed was part of a 10,000 business hack. Fortunately, they did not get any member data because we used a 3rd party to handle that. The hack disrupted us for months, resulting in hundreds of hours of time dedicated to solving the issue and thousands of dollars in lost business.
Being hacked means much more than just having card data, spreadsheets, security systems, staff records, and member files taken. In our case, the immediate result was that our website was “stolen” and was unusable for nearly three months. Although this was not a ransomware attack, eventually, the thieves started posting fake programs, that looked legitimate, on our stolen website. The intention was to have people sign up for these fake programs and thus the thieves would steal their data. Fortunately, by the time they got to posting this phishing information, we had already alerted our members and the community about the breach and none of our members’ financial information was compromised.
Although we were able to mitigate the damage to our member base, we had to engage an attorney who specialized in defending against ransomware attacks and that’s when we realized our work was just beginning. After reviewing our situation, the only course of action we had was to move forward with a lawsuit in International Court through ICANN, (Internet Corporation for Assignment Names and Numbers) in Geneva to get back control of our website. Not only did this come with a cost of nearly $20,000 but, countless hours of staff time.
Over the course of litigation and the process of fighting back, additional challenges came forth:
- Our website became static. Nothing was functioning or being updated. So, anyone looking us up figured that we were not managing the site, or perhaps we were out of business
- We had no web presence to market our business and programs
- We had to buy new domain names and create a new website
- We had to contact all of our members and engage in consistent messaging while investing in advertising to assure members and future members we were on top of our game and addressing the issues at hand.
- When all was said and done, on top of the costs described above, we also lost roughly $15,000 in potential business. Between marketing, man hours, and direct legal fees, the total cost for addressing the attack ended up being close to $50,000.
What can you do to protect your business?
- Make sure that you have a good cyber insurance policy. Unfortunately, back when we were attacked cyber crime was not a widely acknowledged issue. We had a policy that covered the costs associated with a data breach, but it was not comprehensive enough to cover the business interruption, legal fees, staff time to research and prove our case, and costs to buy new domain names and restart our website. Our current cyber policy is now much more robust and covers more of the real costs involved in recovering from a cyber attack
- Invest the time into figuring out your data strategy. Have a strong back up system for all data and files and back everything up on a daily basis.
- Train your staff on how to recognize phishing emails and suspicious downloads. Staffers downloading non-business related information, and clicking on emails with bogus subject lines is a common entryway into company systems.
- Limit the administrative access and abilities of employees to systems and social media profiles. Don’t give someone the keys unless you are absolutely sure they know how to drive!
- Ensure that all your computer systems have adequate firewall and antivirus technology installed and updated
- Make use of data breach prevention tools, including intrusion detection software
- Include DDOS security capabilities in your systems and on your website. Learn more here.
- Have an organized and written plan to manage data security breaches. Define who will respond, and what protocols will be used in each potential situation
- Make sure that you have a secure WIFI network for your business’ computer system.
- Contact your insurance underwriter for more ways to make sure that your systems are secure and if you already have a cybersecurity policy, review it and make sure you have the right coverage.
By Richard Synnott, Vice President at Active Entities