An important part of our business here at VandalsSmile is advising small businesses before, during and after a cyber attack or hack. The recent DCH ransomware hit was world news and rightly gets the attention, but a big piece of the story is lost for most readers:
it’s not just large businesses and organizations that are getting hit – or facing federal class-action lawsuits like DCH.
Over the last year, I’ve helped over half a dozen local companies respond to one or another of the following hacks:
- Phishing/Spear-phishing – Bogus email campaigns designed to get passwords or, more importantly, lucrative Personally Identifiable Information (PII) such as socials, addresses, account numbers, and many more things that identify a person or an account.
- Password/Email Hacks – Many businesses have been affected by insecure passwords or using duplicate passwords across different logins. They login to insecure wifi, use a password on an insecure site and, boom, criminals have their passwords. That leads to…
- Ransomware – When cyber criminals get access to your email and other accounts it makes it easy to then deploy ransomware like the stuff that was used against DCH to take over your computers and demand a ransom to unlock it. Even worse, they then use your email account to send malware to your entire address book your customers think is you containing a PDF or other file that, when clicked, deploys ransomware onto the computers of your clients and customers.
- Insider Threat – Rogue or malicious employees who have access to business networks and other connected resources can exfiltrate data from your networks using code the can freely download from the internet.
- Website Take-over – Many businesses have websites built with aging technology that has been exploited over the years. (WordPress, anyone?) Criminals can get into the site, add their own links and direct your clients to websites that install malware. What’s just as bad, they can set up forms to gather your customers’ valuable info and you won’t even know it’s happening. The same can happen with your social media accounts. I helped a business late last year that was down for almost a month due to an Instagram take-over alone.
By now your eyes are probably rolling back in your head and you’re falling asleep. If you’ve managed to read this far, keep reading because it could save your company from shut-down due to data breach.
Your Business Can Get Shut Down Because of a Hack
To get right to the point, no matter the size of your business if you lose data and it hurts someone else, you can go out of business, get sued out of business, or simply get shutdown by the state or the Federal Trade Commission (FTC). Ever since the ruling in the massive Wyndham hotels data breach case filed back in 2012, the FTC has taken on the responsibility of investigating and suing private businesses who lose their customers’ data:
On August 24, 2015, the Third Circuit’s three-judge panel upheld the District Court’s ruling that the unfairness prong of Section 5 of the FTC Act does empower the FTC to bring lawsuits against private companies for insufficient data security practices, and that the FTC is not required to publish rules or regulations regarding what constitutes reasonable security standards. (see more here)
In 2018, the State of Alabama also adopted a data breach notification law that allows for the state to take action against companies who don’t protect customer data.
That means if your business is lax with security and gets hacked, you could be facing federal, state and civil lawsuits. In short, that’s game over for your hard-earned success.
How to Reduce Your Risk Now
One of the easiest ways to better your chances both of not falling victim to a hack and defending yourself if you do is to get an annual cybersecurity audit. The audit looks at your business from top to bottom and in 360 degrees to assess your risk and recommend fixes for deficiencies.
Think of it like a home inspection. We come out, gather very detailed info on how you work, what data you store and literally dozens more data points, then we recommend things you need to do to shore up your defenses.
Most importantly of all, if you do these audits and act on the recommendations, it goes a long way in your defense if and when something happens. In other words, you can show that you:
- Demonstrate an awareness of cyber risks to your organization and customers
- Are acting responsibly toward data collection and storage
- Take real steps to lower the chances of a data breach or other hack occurring
Big companies have entire organizations dedicated to risk management in this way to not only lower costs and improve profitability, but to demonstrate they’re taking every reasonable step to prevent the loss of data or a hack from happening. That goes a long way in court, I can tell you.
Contact us today to set up your cybersecurity audit. Think of it as another layer of “active” insurance amid a rise in cyber attacks against small businesses in Tuscaloosa.