Cyberattacks on the rise: How to protect your business
As originally published on stuff.co.nz on 29 Jul 2021
Cyberattacks against small businesses are on the rise – both in terms of frequency and sophistication.
Small businesses were once ignored by hackers, as they were too small and too anonymous to be worthwhile targets. No longer.
Recent advances in malicious software (malware) have resulted in hackers being able to automate the entire extortion lifecycle. Small groups of hackers, or even individuals, can deploy malware campaigns that net millions in returns, typically paid anonymously to them in bitcoin, completely autonomously.
Take into account the amount of money to be made (global cybercrime is estimated to net over $6 trillion a year) and the shockingly low rates of detection and prosecution (estimated to be as low as 0.05 per cent, according to the World Economic Forum) and you can see why attacks continue to rise, and why they will continue to do so for the foreseeable future.
We’re all familiar with the catastrophic impacts of such cyberattacks on business. Organisations large and small, even entire DHB’s, have had well publicised attacks of late. And these are only the tip of the iceberg, as most organisations will keep security attacks confidential if they can.
The year 2021 has already been called the “ransomware apocalypse” as products such as Microsoft’s Exchange email server software and even cloud platforms such as Kaseya and SolarWinds (both popular IT management apps) have been compromised and used to spread malware to computers worldwide.
Small business owners would be forgiven for breaking out in a cold sweat each time they read about the newest attack and wonder “are we next?”
But don’t fear – we are not powerless. We can take basic but effective steps to protect our businesses against these security threats. These include:
Make cybersecurity a business priority. Ingrain security-related thinking into everything you do. One client of mine starts every team meeting with a security tip to keep cybersecurity front of mind.
Train your staff. Social engineering – the art of manipulating the warm fleshy bit that sits between the monitor and chair is at the heart of most cybersecurity attacks. Train them, and yourself, on how to avoid phishing and other such attacks.
Formulate a practical security policy and ensure staff remain familiar with it. Also, stick to it yourself – security attacks are often targeted at business owners/senior managers who think they’re above their own security policy.
Move your files, emails and other IT systems to the cloud, where they’re not only safer, but also much easier to back up and replicate.
Use two-factor authentication (2FA) with everything. Most modern apps and services offer 2FA as an option – turn it on and make it mandatory for all of your users.
Manage your antivirus software. Antivirus software is useless if it’s been disabled or if it’s out of date. You or your IT service provider should be able to tell at a glance that all of your IT systems are protected and receive alerts when there are problems.
Keep all of your software up to date. Don’t rely on Windows Update – use a management tool or an external service provider to keep all of your software up to date across all of your devices. This protects against security exploits associated with software bugs.
Have a recovery plan and know what it is. Get professional advice on formulating your recovery plan and test it every year. This should include how to recover from systems or data loss and what to do if you’ve been hacked.
Get insurance. Specialist cyber insurance plans can help you mitigate the financial risks associated with cybercrime.
What do I do if I’ve been hacked?
If you find that you’ve been hacked then move quickly, as timing is everything. Your first priority should be on minimising damage and loss, particularly as the hackers may still be rummaging around in your systems.
Activate your recovery plan if you have one and seek professional advice immediately. Warn your staff that a hack has been detected and ask them to be on the lookout for anything out of the ordinary. If computers have been infected with malware then turn them off and leave them off until they can be professionally assessed.
Once you're confident that the attack has been repelled (and you’re confident that there’s no one intercepting passwords as they’re being changed), ask everyone to change their passwords on all key systems.
If you’ve prepared in advance then you’ll be in a much better position to respond to such attacks and they will generally have a much smaller impact on your business, so make planning a priority today.