How to Protect Your Business From Cyber Threats

Many small business owners believe cyber attackers only target large corporations, but this isn’t the case. Here are some simple steps you can take to mitigate cyber threats in your business.

Air Date: April 29, 2020

Moderator: Jeanette Mulvey, Editor-in-Chief at CO—, U.S. Chamber of Commerce

Featured Guests: C.J. Mahoney, Deputy General Counsel, U.S. International Trade and Azure, Microsoft

Most small businesses don’t think they’ll be the victim of a cyberattack. This was the case for Amy Brace, owner of Amy’s Cupcake Shoppe. Brace’s small business was targeted by hackers in a phishing scheme. Fortunately, she was able to recover from the attack, but it did cause her to reassess and strengthen her cybersecurity measures.

The Chamber of Commerce Foundation spoke with Brace and Spencer Ferguson, CEO of Wasatch I.T. to discuss how small businesses are susceptible to cyberattacks and the steps they can take to prevent them. Here are three takeaways from that discussion.

Small Businesses Should Take Action as Soon as They Know They’ve Been Hacked

When Brace entered her credit card information into a misleading email, she instantly realized her mistake. She contacted her bank and credit card lenders, and because of her immediate actions, she was able to minimize her losses, but not every small business is so lucky.

Ferguson stressed that if you know you've been the victim of a cyberattack, you have to act immediately and contact your IT department.

“Your IT provider … [will] be able to help you assess the potential damage of the situation and help you create a plan of course to remediate whatever risks are out there,” he said.

From there, take any recommended actions you can and contact anyone who will be directly affected by this attack.

“Change any potential compromised passwords as quickly as possible,” Ferguson said. “Start contacting any additional resources as necessary. This might be your lawyer, your cybersecurity insurance provider … and maybe even law enforcement and affected vendors or customers.”

Multi-Factor Authentication Is an Effective Way to Combat Hackers

After she was hacked, Brace converted all her systems to have multi-factor authentication, which adds another layer of password security. With multi-factor authentication, even if hackers get your login credentials, they won't be able to get into your accounts without the code sent to your phone or email. This is especially useful during the coronavirus pandemic, when many people are working remotely and do not have direct access to their company's security systems.

“I would recommend that you have a policy that says anybody who accesses any of our business data uses multi-factor authentication … [when it] is available,” Ferguson said. “That should include your outside accountants or anybody else who needs to gain access to your information.”

Having Cyber Insurance Can Save Your Business From Crippling Ransomware

Ransomware is a common type of cyberattack in which hackers distribute viruses through fraudulent emails or websites that spread to your company's entire network. They then encrypt all of the files in your computer system and demand you pay them a ransom in order to get the decryption key. If your business pays the ransom, it could not only financially hurt you in the short-term, but also set you up for future attacks.

Aside from having good security measures, a way to minimize the effect of ransomware attacks is to invest in cyber insurance. It's typically an inexpensive fee and it could potentially save your business from financial disaster.

Ferguson shared an example of how cyber insurance saved a client after they had a ransomware attack.

“Their cybersecurity policy paid for [a] $300,000 ransom,” he shared. “It paid for their attorney's fees [and] it also ended up paying … to send letters and offer credit monitoring to all of their customers.”

Additionally, it’s important to make sure your policy doesn’t have exclusions, such as employee error. Having a third-party cybersecurity auditor review different policies and conduct security testing will help cover all your bases.