Rebecca Miller of Peggy Jean's Pies, a bakery in Columbia, Missouri, woke up one morning last summer to a less-than-sweet surprise: Online searches for her shop's website were leading potential customers to an X-rated destination. "Not just porn--like, capital P porn," recalls Miller, a former lawyer who runs the shop with her mother, Jeanne Plumley. "Really, really bad porn."

It took her most of the day and several hundred dollars paid to a third-party vendor to clean up the mess. "Who in the world hacks a pie website?" she still wonders.

Lots of people, it turns out. While attacks on big companies like Yahoo and Target grab more headlines, entrepreneurs are almost as vulnerable: In 2015, 43 percent of cyberattacks were waged against small businesses, according to Symantec. "Small-business people don't realize that the bad guys look at them as low-hanging fruit," says Michael Cocanower, founder of Phoenix-based IT consulting firm itSynergy, which works with small and medium-size businesses. Fortunately, there are plenty of steps you can take to make yourself less vulnerable--or, if the worst happens, to fight back.

Educate your employees

Attacks are getting more sophis­ticated, but most breaches still occur because of human error. That's why experts suggest training employees for threats early and often. "It's not just the IT department, it's not just the CEO--it's everybody's responsibility," says Scott Schober, chief executive of Berkeley Varitronics Systems, a Metuchen, New Jersey-based wireless security tech firm. Jesse Harrison, the founder of Los Angeles lender Zeus Legal Funding, learned that lesson the hard way in December 2015. When one of his workers clicked on an infected email saying she'd won the lottery, all of the company's computers and locally saved files became locked within moments. The email contained ransomware that encrypted the contents, with the hackers demanding that Harrison hand over $600 to get them released. Now Harrison regularly shows workers samples of real and fake emails, quizzing them on how they'll react if something suspicious shows up in their inbox. "It's important for them to know not only when an email is a scam, but also how the scam works from start to finish," he says.

Cyber criminals have their eye on small business
79%
of small-business owners have no cyber response plan in place.
$7,000
Average cost of a small-business attack.
$1 billion
Amount thieves stole from businesses through fake wire transfers from October 2013 to May 2016. Source: FBI
430 million
Number of new, unique pieces of malware discovered in 2015.
$32k
Average amount an attack targeted at your company's bank account will cost you.
Source: NSBA

Set up advanced bank alerts

Rick Snow, founder of go-kart track Maine Indoor Karting in Scarborough, Maine, logged on to his bank account late one night only to discover it had been drained. Someone had initiated $15,000 in wire transfers to banks across the country. Banks aren't required to offer the same protections to business accounts as they do personal accounts in cases of cyber fraud, so the money would have been irretrievable if the transfers had gone through. "That would have cleared out all of our positive cash flow," says Snow. He was able to stop the transfers at his local bank the next morning, but if he hadn't caught it in time, "we would have been in dire straits." You can request two-factor authentication--in which the bank must confirm the transaction via a code sent to your phone--for certain kinds of activities, such as wire transfers. Or you can even ask the bank to turn off some online capabilities altogether. "I don't have to do wire transfers very often, so at the time I instructed my bank not to allow those unless I physically came into a branch," says Cocanower.

Update your software weekly

It can feel like a hassle, but keeping your software up to date is crucial for warding off threats. Symantec estimates that more than three-quarters of legitimate websites have vulnerabilities that should be patched. Miller now believes that malware infected her pie shop's site through an attack on her web host. That's a common vulnerability for small businesses, according to Schober, because third-party software and operating systems are constantly issuing security updates and patches that don't install automatically. "It's about staying on top of it," he says. "If you don't have that ability yourself, you've got to hire somebody to do that every week."

Don't trust just one backup

Keep your files in multiple places, including in cloud-based programs and external hardware not connected to your network. This guards against a few different kinds of disasters, including ransomware attacks that can deliberately target backup files. "If our building burns down, we've got our stuff in the cloud," says Cocanower. But "normally we can go right to that onsite backup." After the Zeus Legal hack, Harrison realized he needed a better noncloud backup system--he now uses several external hard drives as well as an online drive to ensure he has access to what he needs. While he ultimately coughed up the ransom money, the hackers didn't unlock his files--meaning Harrison had to spend days on the slow and frustrating process of redigitizing his paper files. "I had to re-create everything from scratch," he says.

 

Cleaning up the mess: What to do when an attacker gets through your defenses

Prepare ahead of time

Inform investors and customers of the problem and what steps you'll need to take to get back on your feet. "Have a notebook on a shelf: 'Break glass in case of emergency,' " says Michael Cocanower of itSynergy. "That's much better than trying to figure it out in the moment."

Hire a third-party expert

Even if you have an IT team, it can be helpful to tap an outsider's perspective. "You want to be sure you're getting a disinterested third-party assessment of the damage, and not someone trying to cover up their mistakes," says Cocanower. The sooner you act, the better. "The first 48 hours postbreach are critical to determine which computers or networks have been compromised, how they've been exploited, and what data may've been compromised," says Scott Schober of Berkeley Varitronics Systems.

Think before you pay

Most experts advise against paying a ransom, except as a last resort. "The attacker is counting on that person saying, 'I'm going to pay because I just can't deal with it,' " says Norman Guadagno, senior vice president of marketing at Carbonite, a cloud-based data-backup company. "They prey on that psychological moment." Decryption keys for older scams can sometimes be found for free online, and paying ransom often doesn't get the files released anyway. If you're going to spend money to get your business back, it may be smarter to pay for the services of a professional cleanup expert instead.

FROM THE MARCH 2017 ISSUE OF INC. MAGAZINE