Small businesses were easy prey for cybercriminals during the pandemic. A shift to remote work meant hackers had their pick of unsecured home networks and devices. Now, even though many businesses have moved back to in-office work, it's likely they'll still be targeted by hackers. Savvy thieves often see small businesses as a "Trojan Horse" to the larger businesses with which they partner.
Panelists at a Chamber of Commerce event on Thursday shared tips on what businesses need to keep in mind in order to protect their data and assets from cyberattacks.
Ransomware comes in via email and can hide for several days.
Some cyberattacks will do damage instantly, taking down all of your systems and locking you out. But some, such as ransomware emails, require more time to take root.
"So maybe an employee clicks on an email that goes through their device, and they send that email to somebody else that hits another application or device. It can really be in your system for several days before you notice it," said Tara Holt, senior product marketing manager at Iron Mountain. The delayed timeline is crucial to keep in mind as you work to nail down when and how a breach occurred.
Backup critical data, both on- and off-site.
Holt and other cybersecurity experts encourage businesses to store a backup of your most critical data as a second line of defense. This should be both off-site and online. Your business may still be able to operate during a cyberattack, even in a limited context, if there's a backup handy.
Make sure payment processors are PCI compliant.
An overlooked area of cybersecurity is your third-party payment processor. Businesses that make hundreds of transactions per day must ensure that security standards are in place to prevent theft. Most merchants that accept credit cards must adhere to the Payment Card Industry Data Security Standard, or PCI.
A few credit card companies allow merchants that are not PCI compliant, but tread carefully with them -- you'll likely be stuck with the bill in the event of a breach. "If you get a breach, and you're not PCI compliant, it's a minimum of $80,000 apiece and MasterCard will have to charge you, because they're going to have to resubmit new cards for those people whose cards may have also been compromised," said Renee VanHeel, president of Pay It Forward Processing.
You can pay the ransom, but don't expect to get your data back.
While taking cybercriminals at their word is always a risky undertaking, when it comes to ransomware, few crooks are honest players. Businesses that pay ransoms must deal with the very likely possibility that any data they get back will either be incomplete or corrupt.
An estimated 92 percent of victims who pay the requested ransom don't get their data back, according to a 2021 Sophos State of Ransomware report.
Use a "zero-trust network" and multi-factor authentication.
Chances are, your team probably needs a refresher on what makes a strong, unique password, which can go a long way toward securing your systems. Best practices include combining three or more unrelated words -- proper nouns are good -- with numbers or special characters separating them.
Requiring the use of VPNs is also key. Saïd Eastman, CEO of JobsInTheUS, says his company uses both an internal VPN and a third-party VPN for customers. "We do that because we believe it's important for us to provide a secure environment for our employees to get in to do their jobs, but also a place for our customers," he said.
Holt also suggests that businesses create what is called a "zero-trust network" that authenticates users every time they log-in. Multi-factor authentication, where users must enter a passcode that is sent to their phone or email, is another good safeguard.
"Adding in as many different layers of security as you can can really be that first step to protect you," said Holt.