My company is too small to worry about "hacks." WRONG!
Updated: Mar 3, 2020
Hearing any entity state that it is “too small” to be attractive to a hacker is frustrating for any INFOSEC professional. Depending on the source and month/year, small businesses account for approximately 40-50% of all cyber-attacks, such as ransomware and denial of service events. Small businesses are attractive to bad actors for several reasons:
1) Heavy reliance on online services;
2) Little (if any) employee training on cyber hygiene;
3) Little (if any) IT staff;
4) Failure to update software;
5) Failure to back-up or encrypt data; and
6) Failure to institute security policies.
Accordingly, small businesses with or without the resources (which may include the appropriate insurance) may fall victim to ransomware, in which the business is forced to tender tens, if not hundreds, of thousands of dollars to recover their own data. Aside from simply being expensive, ransomware attacks often result in a cessation of business services and may also create legal liabilities to clients.
In 2019 alone, there were 52 ransomware attacks in Louisiana, the targets of which were school districts, state and local governments, health systems, higher education, and businesses. Most of these attacks originated through social engineering. The number and frequency of these attacks are expected to escalate.
So, as a small business – what do you do? Start organizing solutions: 1) Know and document the architecture of your network, so if you do have issue, an IT professional is not starting from zero; 2) Back up your data, every day, and store on an off-line or encrypted location; 3) require employees to change passwords every 30 days; 4) determine your legal obligations to your clients, employees, and the states in which you do business; and 5) learn data breach reaction techniques. Please reach out if you need assistance crafting a data breach plan or determining your legal obligations.