Small businesses are not immune to the dangers posed by hackers and ransomware

While we know cyberattacks and ransomware are a major threat to businesses, we tend to think of them in terms of their impact on tech moguls, financial institutions, universities or governmental agencies.

It is important, though, for small business owners to realize they are not immune to these attacks. Hackers will target anything of value, including stored customer credit card information. They are also capable of shutting down any business’s computer system in order to force payment of a ransom.

Larry Atkinson, a senior digital forensics investigator and network administrator at Lorain County Community College, says small businesses that ignore this threat are doing themselves a major disservice.

“It is just as important — even more important — for small businesses to protect themselves,” Atkinson says. “Many larger corporations can handle a shutdown for many weeks and months. Smaller businesses don’t have the capability to withstand such a long time being down.”

Here are some key questions for small businesses to keep in mind regarding cyber threats.

How can my company begin evaluating its risks and vulnerabilities? Following a cybersecurity framework — a system of standards, guidelines and best practices to manage risks that arise in the digital world — is vital to comply with state, industry and international cybersecurity regulations and t0 protect your business from the dangers posed by hackers.

There are many frameworks, and among the most popular are the U.S. National Institute of Standards and Technology (NIST), the Center for Internet Security Critical Security Controls (CIS), the International Standards Organization (ISO) and the Control Objectives for Information Technologies (COBIT) frameworks.

There are also industry-specific frameworks. The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP), for example, applies specifically to electric companies.

“Frameworks tell you where you’re at and guide your company to get you to a level where your risk level is acceptable,” Atkinson says.

What policies can my business implement to help protect itself? First, it is vital to back up all critical systems and data.

“The key is not only having a good backup, but also testing the backup process to make sure it is working properly,” says Atkinson.

Companies should also train employees on cybersecurity measures so that they understand how to identify and quarantine phishing and malicious e-mails, avoid clicking on suspicious links and use strong passwords that are changed periodically.

“If an employee clicks on a link or goes to a website that they’re not supposed to, your protection plan is fruitless,” Atkinson says.

In addition, all computer operating systems and applications must be equipped with antivirus and malware protection, and with email security software that is kept active and on current versions. Keep operating systems and applications up to date with relevant security patches installed as they become available.

Also have acceptable use policies in place for electronic devices. This applies to computers, phones and any other devices that are able to access your company’s network.

“One of the most important ones is a BYOD (Bring Your Own Device) policy,” Atkinson says. “When people are allowed to use their own cell phones or company phones that can be used at home or at work, the issue becomes, what is personal data, what is corporate data, and what can you do on the phone?”

And if a crime is committed on the phone, is it the company’s responsibility or the employee’s responsibility?

“With COVID and more companies having a remote-work policy, now you’re using your home system to connect to the company system. What policy do you have in place for that?” he says.

How can having an incident response plan in place help a business that, despite its best efforts, falls victim to an attack? In advance of a potential problem, create a response team that is at the ready should a cyberattack take place.

“These are the individuals you automatically call when an incident occurs,” Atkinson says. “It’s not just computer technology personnel. It’s also lawyers, physical staff and all the stakeholders that are involved that would be affected by the breach. That team should put an incident response plan in place so that at least the first few steps after an attack are planned out.”

And don’t just create a response plan and put it on a shelf. Periodically practice the plan to ensure it remains effective should an incident occur.

In addition, outside resources can help in the event of an attack. For example, Lorain County Community College’s accredited Advanced Digital Forensics Institute offers a resource for businesses impacted by a hack. The institute is equipped with state-of-the-art digital forensics laboratories that law enforcement and private companies’ security personnel may use to conduct investigations.

“We can do forensic recovery of data and can do an incident response, if needed,” Atkinson says.

If your business falls victim to a cyberattack, your local FBI office is a good starting point to determine if criminal activity has occurred and which authorities should be involved. Additionally, the Internet Crime Complaint Center (ic3.gov) is the central repository for all complaints of Internet crime.