Here’s how you can fight back.
A Regina company called Evraz will shut down for the next three days to contain a ransomware attack. According to a hacker site, another firm that sells power tools to the construction industry has also been hit.
And that’s just a couple we know of from yesterday. Every day across Canada businesses are hit. You don’t hear about them, but we do. There was the head of a sports facility who phoned us almost in tears to see if we knew anyone who could help him recover some lost data. Another company we know of was shut for over 19 days and almost went under.
The threat is real. We don’t trade in hype or alarmism. This is just a fact. It’s not like it was five years ago. Ransomware is a business and it’s targeting your business.
These crooks will encrypt your data making it useless and unreadable. This can spread throughout your entire organization rapidly. Then you pay their ransom or you never get your data back.
All too many companies we know of (not our customers, thank god) have gone to get a backup taken before the ransomware attack only to find out that their backups didn’t work or didn’t have everything.
A new wrinkle? Even if you don’t pay the ransom, some of these cyber crooks are now stealing your data and threatening to leak it online.
There is a lot more activity than you hear about. Why? Many companies don’t want others to know. But that’s come to an end. You may not have to issue a press release, but you do have to reveal you’ve been hacked.
Federal government regulations say that if this happens, you have to report it if there’s a “chance of harm” to the person or company whose data is leaked. Harm isn’t just a loss of money. It could be an embarrassment to the person, risk of fraud for them and whole lot more.
Only you know how big a risk this is. But if it is, what would you tell your customers when this happens?
How do you deal with this? Here’s a list of the key things you need to do. Yes, we have services here and we’ll offer them, but that’s not the point. Whether you get this from us or someone else doesn’t change what you know you have to do.
- Get a cybersecurity assessment if you can. By the way, this doesn’t have to break the bank. Nor does it have to be a huge consulting exercise. There is a specialized evaluation based tailored for businesses under 500 employees. It’s from the Canadian Centre for Cyber Security and firms like ours can do it quickly and efficiently. It’s fast and the recommendations are practical. It can provide assurance to you – and your customers – that you have fundamental controls in place.
- Train your staff. Your staff are your greatest risk. Most hacking comes in via an error, carelessness or a sophisticated targeted attack. Experts say that training can reduce your chance of an attack by as much as 80%. Once again, you don’t have to break the bank. There are online programs and resources that are affordable. Some (like us) will even give you model policies to implement as part of the training. We can recommend a few of these. (We also do in house training.)
- Protect your network. Most SMBs don’t have a private network of their own. You need some basic protections like a firewall, a filter that cuts out a lot of the malicious traffic and of course up to date anti-virus.
- Upgrade software. All the vulnerabilities in your old software are published on the internet for any hacker to use and exploit. There are even kits available so the hacker doesn’t even have to be that bright. It takes time to get this the first time, but if you make it a regular thing, doing updates can be a smooth regular process.
- Backup and Test – There’s lots of good backup software and solutions out there for companies from large to small. And compared to what you will pay if you lose data, they are a bargain. But more importantly, you have to test your backups regularly. We do “fire drills” where random checks are made. There’s a schedule to make sure we catch everything, but you never know when a test will happen. It not only makes sure you catch everything, but it keeps everyone on their toes.
There’s more you can do, always. And despite what anyone tells you, there is no absolute insurance that you will not get hacked or lose data even if you do all this. But by doing these basic steps, the odds are no longer against you. You vastly reduce your chance of having to explain to a customer, paying a huge fine to the government or worse.
You and your team have spent years building your business. Only you know what that is worth. If you have any questions on any of these points, we’ll be glad to take a call with you. One of our experts will be glad to answer questions or clarify any point. You can reach us at 1-833-543-7664 or at firstname.lastname@example.org. (If you have a security emergency use email@example.com which will link you directly to our emergency response team.)
If you want more information you may want to check out Business Guide to Cyber Security. We’ve heard from others that it’s clear, thought-provoking and helps explain security from a business perspective.
You can download it here.