What to do if your business has been hacked

Arm your business against hackers

“We’ve been hacked!”

If you’re a business owner, it’s one of the scariest things you can hear, and it’s something businesses are hearing far too often. According to an April 2024 article by the Associated Press, cyberattacks on businesses, even small businesses, are on the rise. The median costs of ransomware attacks, which block access to a company’s website until hackers’ demands are met, have more than doubled in the past two years and costs per incident have doubled since 2022, to $26,000. In 2023, these types of ransomware attacks constituted 72 percent of all cyberattacks.

For a corporation with deep pockets, an incident like this might be a survivable annoyance. If you’re running a small business, though, it can be catastrophic. According to Forbes, after a hack, 25 percent of small businesses file for bankruptcy and 10 percent go out of business.

As cybercrimes have become more common, insurance companies have evolved a wide variety of products to protect targeted businesses from losses. If you haven’t looked into getting cyber coverage for your business, you probably should. The common refrain among cybersecurity experts is that “It’s not a question of ‘if.’ It’s a question of ‘when.’”

Educate yourself and your staff

Business owners and their staff should all have some cybersecurity training. There are certificate courses, many of which are free, and plenty of online resources with information about keeping your business’s information secure. Here are just a few:

Microsoft — A library of resources for small to mid-size businesses
The U.S. Small Business Administration— A section of their website offers articles and tips
Crowdstrike, a cybersecurity company — A free library of educational material

There are also basic preventative steps to take:

Make sure data is encrypted as it moves from place to place.
Use multi-factor authentication for your customers.
Keep any software you use up to date.
Require staff to use strong passwords and to update their password on a schedule.

What to do if it happens to you

There are different forms an attack can take. Cyber criminals may lock down your systems to extract a ransom, or steal customer, company, or employee information. Whatever the hackers are after, once you’ve discovered that they’re in your system, you should move at once to limit damage.

If you have an insurance policy that covers fallout from a cyber attack, let your insurer or agent know as soon as you discover the breach.

If you aren’t insured, there are still steps you should think about taking. According to the Federal Trade Commission’s Data Breach Response: A Guide for Business, you first need to ensure that your data breach doesn’t expand by plugging the hole the hackers exploited. This may not be as straightforward as it sounds, and may require multiple steps, some of them potentially expensive.

Bring in forensic experts immediately after the breach, so you can determine the full extent of the compromise. These experts will collect and analyze evidence, figure out how many of your critical systems are involved, find your business’s vulnerabilities, and help you map out a strategy for mitigating the damage that’s been done. They might prescribe training and changes to your operations, employee management, communications, and investor relations.
Address your vulnerabilities. If physical access to your systems was the source of your data compromise, you may need to rekey locks, change access codes, and look into installing an alarm system or upgrading the system you have. Check also to see which devices provide hackers with access, including unsecured Wi-Fi networks or personal devices, weak passwords, or software with outdated security patches. You should be checking often for these patches, and you should also make sure you’re running the latest edition of your critical software packages.
Do frequent backups of all your critical files, both onsite and in the cloud. Ransomware hackers can’t hold your data for ransom when you can restore it easily.
Make a plan for the future. Once you’ve identified your vulnerabilities, you need to eliminate or at least lessen them. A solid cybersecurity plan will make you a less tempting target for the criminals. Your plan should include regular reassessments of your vulnerability, installation of firewalls, use of virtual private networks (VPNs), antivirus and anti-malware software, and a schedule for monitoring your website, servers, software, and other systems.
If you haven’t already instituted two-factor authentication, do it now. Require everyone in your company to use it and also establish a protocol with your employees for strong password protection.
And speaking of your employees, the human element is the cause of 74 percent of breaches according to the Associated Press article. Make sure they — and you — are trained to identify common social engineering tactics, including social media scams, phishing, whaling, smishing, pretexting, and baiting. If these terms aren’t familiar to you, it’s a sign you need to do some homework.
Consider adding an IT professional to your staff if you haven’t done so already. Having someone onsite who can not only maintain your critical systems, but who lives and breathes network security, will offer peace of mind and head off damage to your business, which could more than offset the salary you pay.
Talk to a lawyer. There are legal requirements concerning notification of law enforcement as well as other actions you must take if customer information has been revealed, and these rules are becoming more standardized every year. All states have enacted legislation requiring notification of security breaches involving personal information, and you should make sure you’re on the right side of the rules that apply in the state where you do business.

Sources: Crowdstrike.com; National University (nu.edu)

The information included here was obtained from sources believed to be reliable, however Grinnell Mutual Reinsurance Company and its employees make no guarantee of results and assume no liability in connection with any training, materials, suggestions, or information provided. It is the user’s responsibility to confirm compliance with any applicable local, state, or federal regulations. Information obtained from or via Grinnell Mutual Reinsurance Company should not be used as the basis for legal advice and should be confirmed with alternative sources.

10/2024