By Bill Howard
It is 7:30 a.m. and your first call of the morning is from your sales manager saying he cannot access your database. Text messages roll in from other department managers who cannot access your systems. Overnight, hackers have encrypted your files and are requesting ransom for the encryption key. Your business is closed.
Who do you call? What steps do you take? Did you have a plan in place prior to today? Is this covered by insurance?
Knowing the answer to these questions can be the difference between an inconvenience and a substantial business interruption and financial loss.
Every day the press reports another cyberattack. What have you done to protect yourself and your business? “It will not happen to me” or “I am too small” is not a plan.
Ransomware attacks are on the rise, and more than half of all cyberattacks are directed at small and midsize companies. Small companies have less sophisticated procedures in place and, as a result, are easy targets and low hanging fruit for cyber criminals.
Hackers are no longer high school kids in their basements. Today the bad actors are sophisticated enterprises engaged in ongoing and ever-increasing criminal activity. In 2020 the FBI Internet Crime Complaint Center reported 2,000 claims per day and $4.2 billion in losses. NetDiligence reports that since 2017 the average ransom demand increased from $15,000 to $175,000, and it’s only going up.
You need to have a plan before the hack. The following five steps will reduce your risk of attack and increase your chances of recovery.
Identify your technology assets. Make an inventory of your hardware, including desktops, laptops, smartphones, tablets and point-of-sale devices, and software, including operating systems. Do you know what you have and if it is current?
Protect your technology assets. Know and control who has access to your network. Encrypt sensitive data on your system and during transmission. Perform regular backups and tests to make sure they work. Automate security software updates to make sure you are current, as new threats are identified daily. Establish a formal password policy, including a password manager – there are many good options on the market – and use multi-factor authentication everywhere. I know it is a pain, but it will save you a lot more pain in the end.
Educate employees on how to recognize phishing schemes. You may have the best systems, but not educating employees to recognize imposters exposes the human factor as the weakest link.
Detect. Monitor systems to identify unauthorized users and connections to your system. Make sure to receive alerts for unauthorized system access, use of USB drives or software downloads.
Respond. Do you have a cyber incident response plan? Who do you call to investigate and contain the attack? Forensic and restoration experts will help get your systems up and running. This plan will outline your legal notification requirements for each state where you do business to law enforcement, to state authorities and to everyone for whom you have personal information.
Recover. Purchase a cyber liability policy that addresses forensic investigation, cyber extortion, data recovery, business interruption, communication and public relations.
Most cyber insurance carriers provide extensive educational material and make pre-breach services available to their policy holders.
The pandemic has further complicated the situation. More employees are working from home on personal computers shared by other family members on unsecured home networks. Who has access? Are software updates current? Do you have malware protection? Is password management in place? Do you use a virtual private network, or VPN?
It is a lot to think about, but it all starts with a plan.
The writer is the managing partner at Clarke & Sampson Insurance, a certified insurance counselor and certified advisor of personal insurance from Wharton. He received a Cyber COPE Insurance Certification from Carnegie Mellon University.