Ransomware attacks on small businesses are on the rise.
Here are best practices for preventing one.
Most small businesses believe a cyberattack is inevitable, but many still haven’t taken proper precautions. Small businesses are increasingly a target-rich environment for cyber criminals, scammers and ransomware groups — and an attack can cost business owners plenty.
Nitin Natarajan, deputy director for the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security, spoke with The Playbook about the rapidly evolving threats in the cybersecurity landscape and what business owners can do to protect themselves.
“At the end of the day, we are all potentially vulnerable. The days of only being worried about large organizations are gone,” Natarajan said. “We are seeing phishing attempts, ransomware against small local governments, small businesses and medium-size businesses around the nation.”
Just in 2021, the FBI received nearly 20,000 complaints about business email compromise scams and attacks with losses of about $2.4 billion, according to a recent report. Those scams involved hijacking existing email accounts and asking for money or critical information that is then used against the business.
Data from AdvisorSmith found 42% of small businesses experienced a cyberattack in the last year, while 69% are concerned about cyberattacks in the coming year. The most common form of cyberattack reported by small-business owners was phishing attempts, while the next most prominent was data breaches.
Natarajan said the potential list of victims is growing exponentially as hackers become more sophisticated. While in years past, it was easy to tell a phishing attack from its bad grammar or spacing, these efforts are now much harder to spot.
“But now we have ransomware-as-a-service. If you wanted to start your own cyber-terrorist organization, you used to have to know people,” Natarajan said. “You don’t have to do that anymore. Now all you need is bitcoin and an enemy, and you can hire people to do this for you.”
He offered some basic tips on how to start preparing your business.
Don’t tape your passwords to your keyboard: That’s not meant to be dismissive, according to Natarajan. Small- business owners need to up their game when it comes to their login information. Opt into multi-factor authentication whenever possible. Choose banks, vendors and services that offer higher levels of security as part of a conscious effort to protect your own personal information and those of your business or employees.
Think before you click: Take a moment to read through emails or messages before clicking any link, Natarajan said. Look at the sender’s email address to ensure that it is coming from the business or person they claim to be. Hover over any links to see where the destination is. When in doubt, take a minute to think critically about it. Maybe call the sender asking if they sent the document just to be sure.
Understand the risks: Every business owner needs to both understand the risks and work to mitigate them through software or other best practices, Natarajan said. But once those are done, business owners need to be aware of remaining risks and consciously opt into them in order to be prepare for whatever might happen.
Explore cyber insurance: Not every business needs to have cyber insurance, and that type of insurance is often becoming harder to get or qualify for, he said. Think about where you sit in the supply chain and where your services or products are going. A bakery with a point-of-sales system might not need cyber insurance, but a firm whose parts or expertise goes into critical equipment or infrastructure might want to explore their options.
Look at your suppliers: Try to find out how secure your critical suppliers are. While that information is not easily available, the last thing you want is a vulnerability that is passed along to you by a service provider. Visit CISA.gov: The website is full of resources for small business owners written in a non-technical manner, Natarajan said. They help define terms such as phishing and offer simple steps for laypeople to both educate themselves and their employees.