How to Prep for a Cyberattack, and 3 Steps to Take When Your Company Does Get Hacked

Image source: Getty Images

Was your company hacked in the past year? If not, consider yourself lucky.

It's not a question of if, experts say, but when you'll get hacked.

Cybercrime is up exponentially, driven in part by the pandemic shift to remote work and employees using their own devices to access company networks or, alternatively, adopting work devices for personal use. According to a year-end report from cybersecurity services provider Flashpoint, 4,146 global data breaches were reported from January 1, 2022, to November 30, 2022. About a third of those, 31.8 percent, targeted U.S.-based companies. And while we hear a lot about the hacks at large companies and organizations, small and midsize companies tend to be even more vulnerable to cyberattacks.

"I often see smaller companies that say I'm small enough that hackers wouldn't care about me," says Tiffany Kleemann, clients and markets leader for cyber and strategic risk at Deloitte. "That's just simply untrue. I don't care what size business you are--everyone these days is a target."

Kleemann points out that smaller companies that experience hacks can face an existential threat. Take ransomware for example, a type of cybercrime in which an attacker encrypts a victim's data and demands a ransom from the victim to restore access to the data. A smaller company without the cash flow to meet a hacker's demands could be sunk.

Prevention starts with awareness

Kleemann says that "job one" for every company looking to safeguard from cybercrime should be to conduct a cyber risk assessment. A cyber risk assessment is a process for evaluating the potential risks to an organization's technology infrastructure, business processes, and security controls to identify vulnerabilities and the potential impact of a hack or data breach. Kleemann likens the process to identifying your company's "crown jewels," and then formulating specific plans for how to safeguard those valuable assets.

Also vitally important is training your employees to identify attempts from external actors to break into your internal systems. These attempts often come in the form of phishing scams, in which someone attempts to obtain sensitive information, such as passwords and credit card numbers, by disguising oneself as a trustworthy entity via electronic communication. These days, Kleemann says, cybersecurity consultants are going a step further than hosting classes on phishing scams; they're sending fake phishing emails to employees as a low-stakes way of testing their abilities to recognize threats.

Damage-control steps

But what if it's too late? What should you do when you check your website and suddenly, instead of your homepage, you see a message demanding that you pay for the ability to regain control of your business? That's where Frank Shultz, chairman and CEO of business resilience solutions firm Infinite Blue, comes in. Shultz has vast experience helping companies pick up the pieces after a hack, and he shared three key tips with Inc. readers.

1. Trust your gut

If you have any suspicion that an intruder has breached your network, trust your gut and immediately take all communications with your employees to a separate, secure network that isn't being monitored (examples include Signal and Wire). Shultz says that he's seen hacks in which the infiltrators impersonate an employee in the company's Slack channel, and then are able to watch along while the company formulates a plan to counter the hack. Shultz adds that businesses should consider adopting a code word to let employees know that there's been a breach and to switch to the secure messaging service.

2. Get insurance

Shultz also says that companies of all sizes should consider getting cybersecurity insurance, which he claims can be a lifesaver if you have no other option but to pay out a ransom. This type of insurance is just emerging, so look for policies that include access to teams that help negotiate with the hackers, and help craft communications about the hack to employees and customers.

3. Know your IP

The best thing you can do is be prepared and ready to quickly take action, figure out which of your assets would be the most painful to lose, and invest heavily to keep those assets secure.

One thing that both Shultz and Kleemann agreed on? The prospect of your company being hacked isn't a possibility--it's an inevitability. For context, though, Shultz says there's only so much any company can do by way of prevention. "You can surround the Hope Diamond with lasers and bulletproof glass," he says. "But if Tom Cruise wants to rappel through the ceiling and steal it, he's probably gonna find a way to get it."