Only 14% of small businesses say they have a cybersecurity plan, so most small businesses are unprepared for a ransomware attack, according to the U.S. Chamber of Commerce. In 2023, small businesses were the target of 43% of all cyberattacks.
The average cost of a cyberattack can range from $120,000 to $1.24 million per incident, and most small businesses that experience a cyberattack reportedly close within six months of the incident.
Ransomware restricts access to a computer system or data—often by encrypting files—and demands a ransom payment for their release. The U.S Chamber of Commerce shares the following steps you can take to protect your company from ransomware attacks.
- Ensure your software is up to date. Software providers issue updates that include important security patches and upgrades. Update your security programs regularly and promptly.
- Layer security measures. Use more than one security tool, such as a combination of a firewall, antivirus software, anti-malware software, spam filters, and cloud data loss prevention. If one tool fails, there are backup protections in place.
- Conduct training. An “insider threat” describes any action from an employee that compromises the security of company’s data and systems. These threats often come from negligence or human error. Be sure your team is trained regarding what ransomware is and how they can prevent an attack.
- Configure access controls. Manage who can access your information using the principle of least privilege, which means you give minimal access to files, programs and accounts to those who need it.
- Use multifactor authentication and strong password requirements. Multifactor authentication requires a user to provide more than a single factor—such as username and password—to gain access; for example, a code might be texted to your phone. Additionally, encourage employees to set strong passwords that are a minimum of eight characters but no more than 64 characters; use special characters; avoid using sequential or repetitive characters; and are not commonly used. A password manager tool also can help employees keep their accounts secure.
- Back up everything. Avoid paying a ransom by backing everything up regularly—every day, if possible. Store a copy of your system on an external hard drive that is kept offline and only can be accessed by your team.
- Set up strong spam filters. This can reduce the risks of phishing and your employees falling for a scam that introduces malware into your system.
- Set up application whitelisting. Sometimes known as allowlisting, it only allows trusted files, applications and processes that have been explicitly permitted to run.
- Verify email senders. Phishing is one of the most common ways a ransomware attack occurs. Pay close attention to senders’ email addresses.
- Sign up for regular threat reports. There are resources available to help you stay informed about cybersecurity threats. Subscribe to receive regular emails that will inform you of threats and tips.
To help contractors address cyber liability risk, NRCA has partnered with BPM Insurance Services and Acrisure to offer NRCA’s Cyber Liability Insurance Program.
