Imagine arriving at the office to discover that cyberthieves have locked down your company's computer network and are demanding that you pay ransom before they'll release it.
Who would you call? What would you do? Would you be able to conduct business? Would you pay the ransom? How would you shore up your network after the incident to make sure you weren't hit with another ransomware attack?
This kind of scenario may sound far-fetched. But it is increasingly common. And it is just one scenario among many that small businesses, like their larger counterparts, need to consider in an era of rising and increasingly advanced cybercrime. If you assume your company presents too modest a target for online crooks and hackers, you may be operating under a dangerously false and costly sense of cybersecurity.
In fact, while data breaches at global corporations grab the headlines, cyberthieves find small businesses highly appealing and have been escalating their attacks on them for years. Common threats include malware, ransomware, viruses, and social engineering weapons like phishing and more targeted "spearphishing" emails. And the Small Business Administration notes that internet crimes are constantly evolving.
Given the financial, operational and legal havoc that cyberattacks can wreak on a business, not to mention the damage to company image and client trust, these threats merit attention.
“Some people feel that their data is not worth it, that they don't have a lot to lose, or they're not a target, but the reality is everybody is a target," said City National Bank's corporate security director, Briane Grey.
Small businesses indeed must realize they are likely to be on someone's target list - now or in the near future - said Barbara Allen Watkins, CEO and president of BAW Consulting Services, a cybersecurity firm that works with City National Bank and small business clients.
Business owners might think, “'What do I have, I just manufacture lights,' or 'I'm just an interior designer for higher-end homes,'" said Watkins. They don't always recognize that they may hold lucrative data, such as contact and payment information for celebrity clients, she noted.
Verizon's 2019 Data Breach Investigations report found small businesses accounted for 43 percent of data breaches that the company identified, and noted that no industry vertical is immune to attack.
The report also found, among other trends, that:
• More than half the breaches took months or longer to discover
• Roughly one-third of breaches originated with employees or other company insiders, while organized crime carried out nearly 40 percent of breaches
• Cybercriminals increasingly targeted C-suite executives
Similarly, a recent global cybersecurity survey from the Ponemon Institute, an independent research organization, found a significant increase in targeted breaches at small and medium-sized businesses for the third straight year; in the U.S., 76 percent of these firms reported they'd been attacked in the previous 12 months.
The costs companies incur after data breaches can be significant, although statistics vary greatly. In some cases, the costs are too great and businesses have to shut down after data breaches, said cybersecurity consultant Watkins.
“Some startups have not even made it out of the gate because they were not cyber-ready," she said, noting that more small businesses are making cybersecurity part of their strategy.
"You have to be cyber-defendable and cyber-resilient," said Watkins, that is, flexible enough to recover, minimize your costs and curtail damage to clients should cybercriminals attack your company. Cyberbreaches are the new norm so companies need to be on 24/7 alert, she said.
Businesses need to assess their risks and figure out where they need improvements, Grey said. “What are your crown jewels," he asked, "and how are you going to protect them?"
Here are steps you can take to shore up your defenses and protect your business, customers and employees from cybercrime — and to mitigate the damage if internet thieves strike.
You need a good plan for securing your network, which probably will entail lining up solid consultanting help to assist on technical issues, compliance and risk mitigation, said Michael Morgan, a partner specializing in global privacy and cybersecurity at McDermott Will & Emery LLP.
As a small business, you may not have adequate, dedicated in-house staff, although you might employ an IT person familiar with best practices for securing your network. Most small businesses probably need to consult with an outside technology provider who can help secure their network and make sure their systems are protected, Morgan said.
If you show up one day and find your systems encrypted, he added, “You're really going to need to rely on some outside help. It's not an easy fix. The questions that you confront are not easy ones, like do you pay a ransom to a criminal attacker?"
As part of your plan, you may need to consider how to fulfill orders, keep customers satisfied and stay in business should your systems sustain an attack, Morgan said.
Watkins recommended establishing a "cyberincident response plan" so you'll know what to do and recover more quickly should an event occur. Practice the plan at least twice a year with a tabletop exercise to make sure phone numbers, contacts and processes haven't changed.
The experts suggested that owners contract with good outside vendors upfront and conduct due diligence to make sure consultants and vendors can deliver on their promises.
Watkins suggested tapping a good IT person with security expertise to work with you twice a year.
"You want to get the right vendor for your company," Morgan said. Ideally, you'll choose a firm that works with companies your size and knows the specific security concerns facing your industry. “I think it's really important for small business people to just be very inquisitive and ask a lot of questions and maybe rely on their networks of contacts," he said.
Make sure your insurance covers you for cybersecurity problems.
Owners should think about the events their companies could face and find out whether their insurance policies would make the business whole in case of cyberattack, Morgan said, noting that some insurers will pay ransom after a ransomware attack.
“There have been small businesses that have gone under because of an attack and they didn't have insurance," said consultant Watkins, who called ransomware the fastest-growing threat. She recommended that companies obtain cyberfraud liability insurance, and that owners talk to a lawyer or insurance company about their legal responsibilities in case of a data breach.
A cyberfraud liability insurance policy might come with a breach coach who will assist in case of an attack, according to Watkins, who said the first person you'd call after a breach typically would be your business's lawyer.
In addition to incurring expenses from lost business, ransom demands and damage to systems, companies may face legal liability to customers, employees or other parties after a breach.
Businesses get sued for data breaches "all the time," Morgan said. He also suggested making sure your contracts with business partners protect you in the event that a breach on a partner's network exposes you to losses or liability.
Train all employees from the CEO to the lowest-level worker on good cyber practices, from recognizing phishing emails to proper data handling. Watkins recommended training staff at least twice a year.
Cybercriminals use social engineering attacks to trick users into giving up their credentials, or to click on a legitimate-looking email, she noted.
"These emails are more sophisticated than they've ever been before. They're almost perfect. There are no grammatical errors in them," said Watkins.
A ransomware attack "happens every day to some small business somewhere in the world, and how do you prevent a ransomware attack? You need to have the proper technical tools in place to detect it, deflect it and destroy it," said Watkins. “The three Ds." While you can buy tools to do that for you, training is important. "Humans, we're the weakest link," she said.
Indeed, rules for receiving and handling customer data are only as good as the employees who need to follow them, Morgan noted.
Employees should be taught good information security practices, “simple things like locking the door, not sharing passwords, taking reasonable steps to avoid losing laptops and devices. That sort of training can be pretty helpful," he said.
Employers should educate employees on cyberfraud awareness and make it fun, using games and prizes, rewarding those who practice good cyberhygiene and report suspicious emails, Watkins suggested.
Cybersecurity should become part of the company culture, so that employees aren't afraid to notify IT or management if they inadvertently click on something they shouldn't have.
“Sometimes an executive needs to say that," said Watkins.
The quicker you know about a breach, the quicker you can stop it, so a business with bullying executives who make employees fearful to report a problem "just can't have that culture anymore," she said.
"One of the most critical parts of a cybersecurity plan is to have an executive sponsor" who champions cybersecurity, she said. "It has to start at the top, cybersecurity is everyone's responsibility, from the boardroom to the mail room. It's not just an IT problem, and it must have support from the C-suite."
Hand-in-hand with training and culture, companies need to practice good cyberhygiene.
That means, among other steps, making sure your antivirus software is updated, that all patches are executed in a timely manner and that your network is designed so that patches can be installed at the network level rather than at each computer station, said Watkins.
Cyberhygiene also entails using strong passwords and security codes, and requiring multi-factor authentication —a process calling for at least two steps to verify the person's identity before they can sign onto the network.
Backup your data at least daily. With more frequent backups, you might lose only 15 minutes' worth of data in a ransomware attack, Watkins noted.
Good cyberhygiene also requires thinking about who can reach which parts of your network. Watkins recommended granting access based on job responsibility.
Limit where employees can navigate on the internet and their ability to plug into USB drives and take data unnoticed, she said.
“Why does Susie need access to payroll when she doesn't do payroll?" she said.
Even trusted employees with broad access need their own sign-on credentials. Spearphishing emails often target top executives — in small businesses, the partners or owners — and their assistants, Watkins noted.
“They target them because they know that assistants more than likely have the keys to the kingdom," she said. Watkins recommended setting up key assistants with their own credentials and the same access as the executive.
That way, if an assistant accidentally clicks on a malicious email under his or her own credentials, it can be traced to that person, which can protect the company from being denied an insurance claim because the boss shared credentials, she said.
More broadly, Watkins recommended conducting background checks on all employees — nationwide checks, not just statewide - before they are hired.
Various government agencies and the public-private National Cyber Security Alliance offer online and in-person resources to help you address cybersecurity.
With careful planning, expert support and free resources, you can develop the strong practices to help protect your business, customers and employees from cybercrime.
This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.