Cybersecurity

In June a popular file-sharing software amongst big-name companies likes Shell, Siemens Energy, Sony, several large law firms, a number of US federal agencies such as the Department of Health and more was hacked by Russia-linked cybercrime group Cl0p. Security Magazine reported that, to date, there are 138 known companies impacted by the breach, resulting in the personal information of more than 15 million people being compromised. More are expected to emerge as the investigation continues. If you’re reading that list of company names thinking, “I’m just a small business compared to these big guys – that won’t happen to me,” we’ve got news for you. Many of these companies have cyber security budgets in the millions, and it still happened to them, not because they were ignoring the importance of cyber security, but because of a piece of software they use to run their business. Progress Software’s MOVEit, ironically advertised as a tool you can use to “securely share files across the enterprise and globally,” “reduce the risk of data loss” and “assure regulatory compliance,” was exploited by a tactic called a zero-day attack. This occurs when there is a flaw in the application that creates a gap in security and has no available patch or defense because the software maker doesn’t know it exists. Cybercriminals quickly release malware to exploit the vulnerability before the software maker can patch it, essentially giving them “zero days” to respond. These attacks are dangerous because they are difficult to prevent and can quickly and easily ruin smaller businesses. Depending on the organization’s motives, the stolen data can be deleted, held for ransom or sold on the dark web. Or, if you are lucky enough to recover your data, you might still end up paying out thousands or more in fines and lawsuits, losing money from downtime and coming out on the other end with a damaged reputation that causes clients to leave anyway. In MOVEit’s case, the cybercrime agency Cl0p has claimed on their website that their motivation is purely financial and has allegedly deleted data obtained from government agencies as they were not the intended targets. What does this mean for small businesses? For starters, it underlines the harsh reality that cyber security isn’t just the concern of big businesses and government agencies. In fact, small businesses can be more vulnerable to cyber-attacks, as they often dedicate fewer resources to protection. It also means that even if your organization is secure, the third-party vendors you work with and the tools you choose to use in your business still pose potential risks. Most of MOVEit’s customers that were affected likely had strong cyber security measures in place. Even though it was no direct fault of their own, at the end of the day, those companies still must go back to their clients, disclose what happened and take the verbal, legal and financial beating that comes with a data breach. The MOVEit hack serves as a grim reminder of the critical importance of cyber security for businesses of all sizes.In the face of an increasingly sophisticated and fast-moving cyberthreat landscape, businesses cannot afford to ignore these risks. Cyber security must be an ongoing effort, involving regular assessments, updates, monitoring, training and more. As this terrible incident shows, a single vulnerability can lead to a catastrophic breach with severe implications for the business and its customers. In the digital age, cyber security isn’t just a technical issue – it’s a business imperative. If you have ANY concerns about your own business or simply want to have a second set of eyes examine your network for vulnerabilities, we offer a FREE Cyber Security Risk Assessment. Click here to schedule a quick consultation to discuss your current situation and get an assessment on the schedule.

Cybercriminals know the easiest way to sneak under your radar is to pretend to be a brand you know and trust. These large companies have spent years on marketing, customer service, branding and consistency to build a trustworthy reputation, and hackers leverage this to go after you. The most common method is to use phishing attacks. These thieves set up URLs that look scarily similar to the real company’s website. To slip by your watchful eye, here are some of the simple switches hackers make that can go unnoticed: Some criminals will take it a step further and set up a web page that looks identical to that of the real website. When you click the link – via e-mail, SMS or even through social media – several dangerous results can occur. The first is that malware can be installed on your computer. Clicking a bad link can set off an automatic malware download that contains malicious files with the ability to collect personally identifiable information from your device, like usernames, credit card or bank account numbers and more. The second is the fake website will have a form to harvest your information. This could be login credentials, passwords and, in some cases, your credit or bank information. The third most common issue is an open redirect. The link might look legit, but when you click on it, you’re redirected to a malicious website where the intent is to steal your information. What brand impersonations do you need to look out for? Well, all of them, but according to Check Point’s latest Brand Phishing Report, there are 10 companies that top the chart in overall appearance in brand phishing attempts. Here Are The Top 10 Most Frequently Impersonated Brands In Phishing Attempts In Q2 Of 2023: Take a minute and ask yourself how many of the companies on this list send you regular e-mail communications. Even just one puts you at risk. Cybercriminals go the full mile with these scams. They know what types of messages work best for each company to get your attention. Here are three common phishing attacks cybercriminals have used under these brands’ good names to gain access to your private information. 1. Unusual Activity – These types of e-mails will suggest that someone gained access to your account and you need to change your password quickly. They leverage fear so people will click without thinking, hurrying to change their password before they’re a victim of the attack. They usually have buttons that say, “Review Recent Activity” or “Click Here To Change Your Password.” These e-mails can go as far as to show fake login information detailing the region, IP address, time of sign-in and more, like real messages from the companies do to convince you to click. 2.  Fake Gift Cards – These e-mails suggest that someone sent you an e-gift card. When you open the e-mail, they either redirect you to a website to “claim your gift card” or have a button to “redeem now.” 3.  Account Verification Required – These e-mails suggest that your account has been disconnected, and they need you to verify your information. As soon as you enter your login credentials, the hacker has access. These scams are happening every single day. You’re a target, but so are the unsuspecting employees in your company. Without proper training, they might not know what to look for, panic and try to resolve these “issues” under the radar, ultimately causing the problem. There are multiple steps to making sure your network is secure. One would be getting e-mail monitoring to help reduce the likelihood of these phishing e-mails ending up in your inbox. It’s also important to make sure employees know what to look for so that if an e-mail does get by the phishing detection system, they can still keep your company safe. The best thing to do is to start here with your FREE Cybersecurity Risk Assessment. We’ll evaluate your network and provide a full report on areas where you are vulnerable and what to do to fix them. There’s no obligation, but you should know where you’re at risk. Click here to schedule your assessment now.

On a recent interview about the Titan sub catastrophe, director of the movie Titanic James Cameron, who has made 33 successful dives to the Titanic wreckage site, pointed out that this tragedy is eerily similar to the 1912 Titanic disaster: the captain of the 1912 RMS Titanic was repeatedly warned about ice ahead of his ship, yet he plowed ahead at full speed into an ice field on a moonless night, resulting in the deaths of over 1,500 innocent souls. The captain of the sub Titan and CEO of the company OceanGate, Stockton Rush, was also repeatedly warned about his vessel’s safety, lack of certification for the vessel’s integrity, lack of a tracking device (think airplane black box), their experimental approach to deep dives (despite the fact that this is a very mature and well-understood practice) and lack of a backup sub. He also proceeded to plow ahead at full speed, taking people in an extremely unsafe vehicle, also killing innocent people. If there was ever a case for willful negligence, this is it. When it comes to IT security and compliance for small business, this kind of willful negligence is rampant. Sometimes it ends with an abrupt, catastrophic “implosion,” as with the Titan, where a company is destroyed by a ransomware attack, operations shut down, unable to transact, employees and clients harmed and their reputation tarnished. In other cases, the risk is there but hasn’t been addressed because nothing bad has happened – yet. Willful negligence in IT security and regulatory compliance to data privacy and protection comes in three forms. The first is willful ignorance. Some people running a business are young and inexperienced, too new to the business world to understand the risks they are incurring by failing to protect their clients and themselves. Often, they are being advised by the wrong people – an IT firm that knows how to make their tech work but lacks the expertise to implement good security protections. You kind of can’t blame them for getting it wrong initially, but at some point they’ll get smacked with a cyber-attack and learn the error of their ways the hard way. The second type of willful negligence is willfully stupid. This group CANNOT claim “ignorance” as their defense. They KNOW they should be protecting their business and their clients’ data from cyber-attacks. They’ve heard the stories, they know the laws and may have been warned by their IT company or person, but foolishly believe “that can’t happen to us,” or choose to assume they’re “fine” because they are using a cloud application that promises compliance (which is correct for THEM, not necessarily for YOU). They trust but don’t verify that their IT person or company is actually doing what they’re supposed to, and often lack cyber liability insurance, choosing to take the risk because they’re cheap or can’t be bothered. The third type of willful negligence is, in my opinion, the TRUE meaning of willful negligence and the most immoral and unforgivable. Determined negligence. These people stubbornly insist on continuing to operate without proper security protocols in place, without a disaster recovery plan, without any insurance, without assessing and inspecting their environment, refusing to acknowledge ALL facts, history and evidence to the contrary. They know they are acting irresponsibly but don’t care. After the tragedy of the sub, multiple experts came forward to point out all the risky behaviors Rush was allowing. The hull had not gone through any type of cyclical pressure testing or thermal expansion and contraction testing. The hatch could only be opened from the outside and not the inside, which wouldn’t allow them to escape if needed in the event of an emergency – one small fire inside would have been catastrophic. No atmospheric system to monitor interior gases such as oxygen, carbon dioxide and carbon monoxide. No emergency air breathing system. The viewing window was only certified to 4,000 feet, not the 12,500 feet of the Titanic wreck. But the most egregious of all was an egotistical assumption by the CEO that he knew better than everyone else around him. I wonder if he put all of this in the brochure and explained that philosophy to the people in the sub who lost their lives that day. Everyone makes mistakes. Everyone has a moment in their lives when they place trust in someone they shouldn’t. Everyone has blind spots, and we’re all ignorant and misinformed about something. The question is do you STAY willfully ignorant or stupid to the point of being determined to hold steady to your course of action to the point where you not only do harm to yourself, but to others as well? If you do, it’s only a matter of time before you have your own ship sunk, your own personal Titanic-size wreck. Sadly, if you’re the CEO of a company that holds financial data, credit cards, medical records, tax returns, Social Security numbers, birthdays or even the contact details of your clients OR employees, YOUR willful negligence in cyber protection will absolutely harm others.  

As former President Ronald Regan once said, the scariest words you’ll ever hear are “We’re from the government, and we’re here to help.” In this case, the government is trying to help by forcing nearly all businesses to implement and maintain a strong cyber security program to protect the customer information these companies host – definitely not a bad thing and all businesses should take this seriously without the government mandating it.  Sadly, the majority of small businesses don’t take cyber security seriously enough and believe they are doing enough to prevent a cyber-attack when they aren’t, which is why the government is having to step in and create laws (the GLBA Act) to enforce better security protocols. What Is The New FTC Gramm-Leach-Bliley Act Safeguards Rule And Who Does It Apply To? Back in April of 2022, the FTC issued a new publication entitled “FTC Safeguards Rule: What Your Business Needs to Know.” This was published as a “compliance guide” to ensure that all companies that fall under the Safeguards Rule maintain safeguards to protect the security of customer information. While you might think your business is “too small” to need to comply or doesn’t hold any data “that a hacker would want,” you’ll be shocked to discover you are likely to be wrong on both fronts. Hacking groups use automated bots to randomly carry out their attacks – and small businesses are their #1 target due to the gross negligence and inadequate protections they have. You are low-hanging fruit. That’s why it’s not only the obvious organizations, such as CPAs, financial institutions, and credit unions, that need to comply. Here’s a short list of just a few of the organizations that fall under this new law. You should know that this is NOT a complete list: Printers that print checks or other financial documents. Automotive dealers who provide financing for car purchases. Any organization that accepts credit or loans for the goods and services they sell, whether or not the credit is granted. Companies that do tax preparation or credit counseling of any kind. Real estate settlements, services or appraisals. Career counselors that provide services to people employed by or recently displaced from a financial organization. As you can see, the companies that must comply are growing rapidly. Bottom line, if you handle any kind of financial data or personally identifiable information, you need to make sure you are complying with these new standards. What You Need To Do Now The rule requires you to implement a “reasonable” information security program. But what does that mean? For starters, you need to designate a qualified individual to implement and supervise your IT security program – and you cannot outsource this. Yes, you can and should get a professional IT firm like us to guide you on the implementation, but the buck still stops with you. The person you designate doesn’t have to have a background in IT or cyber security – but they will be the person responsible for ensuring your company is taking reasonable precautions to comply with the new security standards. Second, the Safeguards Rule requires you to conduct a risk assessment to initiate an effective security program. From there, you would work with your IT company (us!) to roll out a plan to secure and protect the data you have by putting in place access controls, encryption, data backups, 2FA and a number of other protections. Cyber security is not something you do once – it’s an ongoing effort of protection as new threats evolve. If you want to see where your organization stands on cyber security, click here to sign up for a quick, easy and completely free Cyber Security Risk Assessment. That is the first step toward complying and will give you the information you need to know about your own security stance.

Training employees on anything can be an expensive process. You incur the cost of investing in necessary materials plus the time it takes away from your employees doing revenue-generating activities. But what’s worse when it comes to cyber security training is the expense you’ll incur if that training fails. Recent studies show that human error plays a role in a shocking 90% of data breach cases! Smart business owners are taking a proactive approach and training their employees on cyber security do’s and don’ts. While we applaud their efforts and encourage all owners to take this step, research suggests their efforts aren’t paying off. Despite their willingness to train employees, the number of data breaches continues to increase. What gives? We’ll be first to say it – cyber security training can be boring. And what happens during boring presentations? People aren’t engaged, so they tune out and miss the critical information needed to keep your company secure. After the presentation, they sign off, saying they have learned the lessons, but have they really or are they a ticking time bomb in your organization? The latter is likely true. If you want the information to stick, you must take some additional steps – and the most important is putting them to the test! According to Education World, interactive activities are six times more effective when learning and remembering material than simply listening to a lesson. You can incorporate this tactic by putting employees to the test to find out whether or not they can apply what they learned. One of the best ways to do this is to use phishing simulations. Here’s how the process works: A third party creates a realistic but fake phishing e-mail that shows identifiable signs discussed in the training. An example could be creating an e-mail that is similar to the CEO’s requesting private information, an outside company sending a bad link, etc. You can customize it to look like something relevant that your employees could potentially see and fall for. The employees are then put to the test. You choose which employees will receive what links and what dates the e-mails will be sent. Will they be able to identify the threats or will they fall for the scams? The results are collected and shared with you to develop more comprehensive training programs and help you identify which employees are your biggest risks so you can provide specific coaching. Another great way to use phishing simulations is to send out the tests before the training. When employees see that people in the company are making mistakes, they are more likely to pay attention to the lesson. It’s not enough to just teach the information! It must be learned and implemented every day to be effective and keep your organization secure. If you’re looking for effective cyber security awareness training for your employees, our team has a comprehensive program that will engage, teach and test your employees so you can have peace of mind knowing they are working to keep your company safe. Book a FREE call using the link to get in touch with our team and get started on your cyber security training session today. https://calendar.app.google/jSA1tteBxFJKnJkX6

An Arizona family was recently in the news warning others about how they were the target of a ransom call in which scammers used AI (artificial intelligence) to clone their daughter’s voice to convince the parents they had kidnapped their daughter, with the apparent goal of extorting money. DeLynne Bock, the mother of Payton Bock and target of the con, said she feels she can easily spot a fake scam call, but this was on a whole other level. According to the news story, the scammers called their home, where DeLynne’s husband answered the call. A man on the other end of the line was screaming and using foul language, saying his daughter had caused an accident, hitting his car, and couldn’t find her insurance. From there, he started making threats, saying he had her tied up in the back of his truck.  What made the call so convincing was the deep fake of her daughter’s voice on the other end of the line – pleading for help, crying. Unable to reach her daughter by phone, DeLynne called the police while her husband kept the man on the phone. “I called the police, and they’re saying, ‘This is possibly a scam situation.’ I said, ‘There is no way this is a scam. This is my daughter’s voice,’” DeLynne said. “This wasn’t just some person pretending. As a mother, you know your daughter’s voice, and this was my daughter.” Apparently, this wasn’t the first time this happened which is how the police were able to suggest it could be a scam. This is just the latest iteration of how hackers are using AI to produce deep fakes to extort money. AI and ChatGPT have been in the news recently for a reason – AI is an extremely powerful tool that, if put in the wrong hands, can do a lot of harm.  It’s not a stretch to imagine the use of AI to fake a CEO’s voice, signature, or writing style in an e-mail, text, call, or instant message to trick an employee into sending money or doing things that would severely harm the organization, such as providing a login or access to the company’s network, data or critical applications. Or similarly use this same type of approach to scam clients or patients into giving up confidential information or payments.  A report released by security experts at Home Security Heroes showed that 51% of common passwords could be cracked in less than one minute using an AI. Both the length and complexity of the passwords factored into the speed of successfully cracking the password, but even a complex password with seven characters using both uppercase and lowercase letters, numbers and symbols took just minutes to crack. This means it’s hypercritical for all business owners to no longer rely on strong passwords and simple antivirus to protect their organization.  Today, all businesses should have some type of security awareness training for their employees. For example, simply sharing this article and others we publish like them with them can go a long way toward making sure they’re always on high alert for scams; but sharing the occasional article is not enough. You should have some type of ongoing reminders and formal training so that it’s always top of mind. Employees AREN’T “too smart” to fall for these scams. If someone can trick a mother into believing her daughter has been kidnapped by duping her daughter’s voice, they can trick an employee into clicking on a link, giving them access or transferring funds – and it’s happening right now to a lot of businesses. Second, you need to work with your IT company to ensure they have implemented robust cyber security tools and protections, as well as disaster recovery protocols so if you are ransomed, you can be sure to recover your data. This is not an area to be cheap about. Most people stubbornly believe it won’t happen to them, or that it will be a minor inconvenience, not the costly, business-crippling, and devastating disaster that a cyber or ransomware attack can have. An ounce of prevention goes a long, long way toward minimizing your risk.   If you want to make sure your IT services provider is protecting you properly, click here (https://calendar.app.google/jSA1tteBxFJKnJkX6) to request a FREE IT Security Risk Assessment. This assessment is not time-consuming, invasive, or difficult to do, but will give you the unvarnished truth about your current security and whether or not you will be properly and brilliantly prepared for a cyber-attack.

“The biggest risk is the one you don’t take” is a mantra you’ll hear motivational speakers deliver in their presentations to make the argument that you should throw all caution to the wind and go for it (whatever “it” is). And while that may be a good piece of advice to get someone to take action on an idea (and get the speaker applause at the end of their presentation), truly smart, experienced entrepreneurs and business executives NEVER throw “caution to the wind” and take wild risks. They take calculated risks, weighing consequences and putting buffers, hedges, and checks in place to reduce the risk and potential losses. They look for the risk because they know unchecked optimism is not only foolish, but dangerous, and Murphy is always standing by with a big wrench in hand, ready to throw it into your best-laid plans. If you follow Warren Buffett’s two rules of investing, you’ll see this same caution: Rule #1 – Never lose money. Rule #2 – Never forget Rule #1. A good question to ask yourself is where are YOU putting your business and your money at undue risk? While you cannot prepare for and prevent EVERY risk in your business, one area where we see a lot of businesses taking huge, unmitigated risks is with their data and cyber security. Despite the overwhelming evidence that the risk and the financial consequences of cyber-attacks are enormous, we still hear, “Nobody is going to hack us…we don’t have anything they want,” or “We can’t get hacked because _____,” with the blank being things like “we use cloud applications” or “we have a good firewall,” “our people are too smart to click on bad links in e-mails,” or other similar “reasons” for their false sense of security. They explain it away. Candidly, it’s our belief that this is not founded in confidence and logical thought but based on willful neglect and a desire to avoid spending the funds necessary to truly secure their data, their business, and their finances. And while I completely understand that nobody wants to spend a lot of money on IT, the risk doesn’t cease to exist just because you choose to ignore it.  One of the smartest investors in the world, Howard Marks, CEO of Oaktree Financial, said, paraphrased, the less risk you perceive, the more risk there is. For example, if I don’t think there’s any chance I can die in a car wreck on my way to the store, I’ll fail to put on my seat belt, text while I drive, and be a lot less cautious about paying attention to the road than if I thought there was a very high chance I could be in a fatal crash. The lower the risk perceived, the higher the risk actually is, because we lower our guard and don’t protect against it.  That’s exactly why small businesses are the #1 target for hackers. They’re EASY prey. Sure, they don’t get the bragging rights of bringing down a company like Dole or hacking into Microsoft Azure, but hacking millions of small businesses for a few thousand dollars each in ransomware pays. You just don’t hear about these attacks because they don’t make the evening news, just like you don’t hear about the 6 MILLION car wrecks that happen every year. Only the big ones – or the ones that seriously impact rush hour traffic – get noticed.  If you are not all that certain that you are truly and fully protected against such hacks, click here (https://calendar.app.google/jSA1tteBxFJKnJkX6) to schedule a brief discovery call with us. We can conduct a quick and easy cyber security risk assessment and tell you for sure if your current IT company is protecting you, and what level of risk you’re at for a cyber-attack. It’s free and comes with no expectations or cost.  Remember, not all successes are measured in gains secured. Sometimes success is defined as losses avoided. If you were given the chance to go back in time and unwind 2 or 3 financial, business, or life decisions you’ve made, knowing what you know now, I’m sure everyone would take that opportunity. Most likely, you’d go back and warn yourself about dumb mistakes you made and put protections in place to avoid losses you incurred. Sadly, there’s no genie in a bottle to make that happen, so an ounce of prevention against cyber-attack IS, without a doubt, worth a pound of cure. Call us today for your FREE Cyber Security Risk Assessment.

Once upon a time, you could install antivirus software and go about your merry way online and in your inbox, opening, clicking, and downloading files without care. Today, antivirus alone cannot and will not protect you, especially if you INVITE the hack by downloading a file that is infected with a piece of code designed to circumvent your security protocols. Whether it’s a personal computer, phone, or laptop you use for business, here are 5 things you need to STOP doing now to ensure you don’t get hacked. STOP downloading apps from unknown sources. There are thousands of free apps available online that are very tempting to download. Hackers are masters at curiosity and “clickbait” designed to nail you in a moment of weakness. To prevent rogue apps and programs from installing, configure your devices to disallow the installation of programs from unauthorized sources. On your phone, ONLY download apps from your device’s respective app store that are tested and forced to meet the store’s security and privacy requirements.Business owners: while I’m sure all of your employees are trusting souls, it IS possible (and recommended) to have business machines locked down, preventing your employees from downloading any applications (or files) that could harm you and compromise your security. STOP surfing the web unprotected, particularly when accessing downloads. This is particularly true if you are on public WiFi. Starbucks is not going to guarantee your Internet connection is safe, nor is any other business, restaurant, or location offering free Internet access. Talk to your IT company (that’s US!) about installing more than just antivirus, but endpoint protection solutions, like a VPN, that will “hide” you from cyber criminals and filter out nefarious websites and attacks so you CAN use public WiFi without the fear of inviting a hack. STOP opening and downloading files e-mailed to you without extreme caution. Phishing attacks via e-mail are still the #1 way hackers gain access to a network. It’s very common for an attacker to hack into someone’s e-mail and get their list of friends, colleagues, coworkers, and their boss to send e-mails that appear legitimate on “their” behalf, even using their actual e-mail – these are highly sophisticated phishing attacks. So, before you open or download ANY file e-mailed to you, make sure it was the one you were expecting. It’s far safer to use IT-managed file sharing like OnDrive, SharePoint, or Citrix ShareFile to send attachments. But the bottom line, if ANY file “feels” wrong or suspicious about a file download, including a weird extension or suspicious file name, CALL the person who sent it to verify. If it’s important, they can send it again. STOP downloading “bloatware.” It’s common for legitimate, reputable apps to sneak in other applications or toolbars you don’t need. They sell this as a sponsorship to make more money every time one of their users downloads an app. The best way to spot these is to look for checkboxes when installing that automatically opt you into services by default. So, before you hit “Next” and keep rolling to get your app installed, take a second to really read and review what you’re agreeing to when installing that new app. STOP downloading music, software, games, movies, and the like from websites like BitTorrent, RARBG, 1337x, and similar peer-to-peer file-sharing sites. It’s very common for file-sharing networks to be breeding grounds for hackers who post files infected with malicious software for people to download. Some of the ads on these sites are malicious as well. Don’t feel “safe” just because you have antivirus – because you’re not.  Business owners: after showing this to your team for both their work and personal devices, click here (https://calendar.app.google/jSA1tteBxFJKnJkX6) to schedule a quick 10-minute call to find out how we can implement security systems that will give you stronger protections against hackers and against employees who accidentally click on or download a malicious file. 

In his book The Road Less Stupid, Keith Cunningham makes this correct observation about succeeding in business: “I don’t need to do more smart things. I just need to do fewer dumb things.”  When it comes to cyber security, I see a lot of dumb decisions made by smart people based on gross ignorance about what can happen or the desire to stick their proverbial heads in the sand to avoid having to spend the money and time to protect their assets.      One of the biggest mistakes is thinking you won’t get hacked because you’re too small, or because you “don’t have anything the hackers would want.” Allow me to point out that you’re not too small to get hacked, but you are too small to make headline news. Millions of small businesses get hacked every year – they simply don’t talk about it because of the potential liability, bad PR, and loss of client and marketplace trust. They’re embarrassed.      Further, you’re right – hackers, for the most part, don’t want your stuff, unless you happen to have medical records, credit cards, social security numbers, etc. Those are very valuable digital assets that can be sold on the dark web marketplace – and cyber criminals are in it for the money. But more to the point, YOU want your stuff, so they’ll kidnap your information and hold it for a ransom to extort money from you. Kidnappers don’t steal a child because they want to start a family. They steal your children because YOU want your children and they know you’ll pay anything to get them back, safe and sound.      So it goes with ransomware. When all of your work files and e-mails go away, very few businesses can pick up from ground zero and keep operating without any losses. Perhaps the solo operator working from home, but certainly not a small business that has been operating for several years with multiple clients and employees producing work for clients.      Another excuse I’ll hear for not implementing cyber protections is, “Since I’m going to get hacked anyway, why bother spending so much money on cyber security? I’ll just get an insurance policy, back up my data, and take the hit.”      While that might sound logical, here’s why it’s a gloriously stupid plan…      Insurance companies are in business to make money, NOT pay out policy claims. A few years ago, cyber insurance carriers were keeping 70% of premiums as profit and only paying out 30% in claims. Fast-forward to today and those figures are turned upside down, causing carriers to make drastic changes in how cyber liability insurance is acquired and coverages paid. In fact, the CEO of Zurich Insurance Group recently predicted that cyber-attacks are set to become uninsurable.       Today, getting even a basic cyber liability policy requires you to prove you have certain security measures in place, such as multifactor authentication, password management, endpoint protection, and tested and proven data backup solutions. These carriers want to see phishing training and cyber security awareness training in place, and some will want to see a WISP, or written information security program, or a business continuity plan from your organization. Depending on the carrier, your specific situation, and the coverage you’re seeking, the list can be longer.      Also, hackers are onto your backup plan and create ransomware attacks to not only take your data but also corrupt your backup. The additional threat is that if you don’t pay, they’ll release your files online for all to see, including payroll information, ALL e-mail communications, client contracts, and more. Do you really want that in the hands of competitors and the general public? Insurance won’t cover that.      Bottom line: having cyber-protections in place cannot guarantee you will never get hacked, but it CAN dramatically prevent the damage done and absolutely will block the majority of attempts, preventing you from being low-hanging fruit.       Wearing a seat belt, having a safe car, and practicing good driving behaviors (like don’t text and drive) won’t guarantee you’ll never be in a car wreck – but if you do those things, the risk of getting into a crash go down dramatically AND your chances of coming out alive and unharmed will obviously increase.  Want a FREE, confidential assessment of your current cyber security status? Click here to schedule a quick 10-minute call to start a discussion and see if you could benefit from a more robust cybersecurity plan.