Anyone else have that sinking feeling last week?
Like me, you probably opened the Arkansas Democrat-Gazette on Tuesday to see a front-page report on a major cyberattack on the Little Rock School District — and the $250,000 ransom the school board voted to pay the hackers to end it.
And like me, you might have thought, “There but for the grace of God go I.”
That’s because, as you likely have read over and over again in Arkansas Business, it’s not a question of if you’ll be the victim of a cyberattack, but when.
As the CEO of one victimized company told us in November 2021, “It doesn’t matter how good you think you are. It doesn’t matter if you’re running in a cloud or if you’re running on your own systems. Anybody can be hit. If you’ve got a computer that’s connected to the internet, you’re susceptible.”
That’s a hard-won lesson — one that more of us are learning firsthand. But there are things business owners, executives, managers — even rank-and-file employees — can do to mitigate the chances of an attack. We’ve shared these tips before in Arkansas Business, but now seems like a good time for a review.
Raise awareness among employees. Bill Yoder, executive director of the Arkansas Center for Data Sciences in Little Rock, told us in July 2020: “Security starts with each and every user.” That includes front-line employees, not just executive management.
In 2020, cybersecurity professionals told our annual small-business magazine, Venture, that company leaders should regularly make employees aware of threats, including email phishing expeditions, and continually stress security.
At every opportunity — staff meetings, companywide memos, employee onboardings — you should emphasize the cybersecurity threats your organization faces and share tips for how all employees can avoid threats and report suspicious activity. Repeat these messages constantly.
Test your organization. Earlier this year in a story about cyberattacks, Senior Editor Mark Friedman talked to Foster Davis, a Little Rock native who co-founded BreachBits of Washington, D.C., a company that safely launches cyberattacks against clients that want to know where its weaknesses are.
“One of our philosophies is that the best way to defend yourself is to test yourself,” Davis told Friedman. “If the hacker does it, we do it.” The company then provides a report to the client about how susceptible it is to attack and how to improve. You might consider running similar tests on your company to find and eliminate vulnerabilities.
Practice the fundamentals. Experts we’ve interviewed over the years say it’s important to do all the things you know you should be doing when it comes to cybersecurity: Change passwords often and use different passwords for different systems, use multifactor authentication, don’t click on suspicious links, be careful what you download, and verify payment and purchase requests in person if possible or on the phone to make sure they’re legitimate.
Finally, make sure your systems and data are backed up properly. That should include offline backups, because backups connected to your system would also be vulnerable to attack.
You’ll never be 100% safe. But these steps are a good start toward avoiding a disaster.