3 Reasons Your Business Should Take Cybersecurity Seriously

3 Reasons Your Business Should Take Cybersecurity SeriouslyMost business owners today remember when the big computer concern for their businesses was antivirus software. Then came phishing and those strange links in your email you weren’t supposed to click. But what is coming now is a perfect storm of ransomware and difficult-to-trace cryptocurrency. Before you become one of the many business owners who say, “I didn’t think it could happen to me,” you should take the time to make sure your business is secure… or you might end up losing it entirely.

What is Ransomware?

Ransomware is what it sounds like. Various vectors that can be used to trigger an attack often encrypt all or almost all of a company’s vital systems, making them inaccessible unless unlocked by a decrypt key. Threat actors offer the decrypt key in exchange for a ransom, usually to be paid in cryptocurrencies like bitcoin which are difficult, but not impossible, to trace. As companies without other resorts fold to the pressure, even if they do pay a ransom and get a decrypt key, they face a possible exodus of customers who have lost confidence after an attack.

Why Me?

So often cybersecurity experts will lead off a talk by referencing some Main Street business, say an accounting firm in Idaho with five employees, sharing that the first reaction from the ownership of that business after they got ransomwared was, “I didn’t think it would happen to me.” This is due in part to sensational news stories of high-profile breaches. But those stories should set alarms off, not make business owners complacent.

If large companies, with entire departments dedicated to cybersecurity, can still get breached, how likely is it that you could too? Even LastPass, a company who knew it had a target on its back (because it stores passwords) was breached recently. The threat actors want the same things from these big companies as they want from the smaller ones:

  1. Data: if you have proprietary technology, state-backed threat actors may come to take it to give their country’s industries a nudge forward.
  2. Money: since most people are ill-prepared to deal with a ransomware situation, they are willing to pay up to receive a decrypt key and stop the pain.
  3. Customers: if the threat actor can get their hands on the information of your clients, they have even more opportunities for ransom. Threat actors know that that Idaho accounting firm, even if it only had 50 clients, was an opportunity for multiple hits, especially if they went after the clients of the clients, and so on.

Basic Security Measures

The same cybersecurity experts who talk about the attack on the Main Street business that never expected it also note that even the most basic cybersecurity measures were not in place. Weak passwords were permitted, or weren’t regularly forced to be changed, or were written on post-it notes on the computer. All because people were “irritated” at security measures.

No one wants friction between tasks, or wants to verify a login with a text message code, but these are measures that were not dreamt up by the nerds in IT, but are basic responses to ever-escalating attacks from threat actors who want to exploit basic societal norms of trust. Here are some basic cybersecurity measures all businesses need to take:

  • Keep clean machines: make sure your computers are using the latest security software, browsers, and operating systems and that they are consistently patched for software updates.
  • Have a firewall in place for your Internet connection.
  • Make regular backups of important business data and information and store them in physical and cloud locations.
  • Train your team in cybersecurity principles and establish penalties for violations of company cybersecurity policies. These policies should include the use of unique passwords that should change every 90 days, however annoying that is to everyone. Multi-factor authentication (MFA) is also a must, which requires additional verification beyond a password.

Finally, the “when, not if” plan involves having a cybersecurity action plan, which is a written (printed-out, in case it gets encrypted along with the rest of your data) document outlining how a company responds to incidents. A key partner for creating this action plan, beyond your IT team, will be a cyberinsurance company, like Datastream, who has had experience drafting cybersecurity action plans and keeps up with industry best practices.

Need some help getting your cybersecurity house in order? We know some nerds who can help! Give us a call.