I have a client who was the victim of a ransomware attack. As a result of this attack, all her files were locked and encrypted. She was told that if she paid $100, she would get a “key” with a special code to decrypt her files. They wanted the $100 to be paid in Bitcoin. She didn’t know what to do. However, the ransomware attackers provided a toll-free number for her to call.

You heard right. A toll-free number. To call the ransomware attackers. So she did. “They walked me through the entire process,” she told me. “They were actually really nice. Even better than the customer service I receive from other big companies.”

Yeah, that’s a true story. Ransomware has become such a huge industry ($10.2 billion a year according to the Federal Bureau of Investigation) that the people orchestrating these attacks literally have customer service departments.

If your business hasn’t been the victim of a ransomware attack, or a “phishing” scam (for example, your CEO is impersonated on an email asking for confidential information), or a malware attack that creates havoc on your platform just for fun, you’re lucky. So far.

According to Verizon’s 2023 Data Breach Investigations Report, 54% of data breaches at small businesses involved credentials being stolen. This report also found that 94% of data breaches at small businesses were from external sources and not from within the company. And in another terrifying statistic provided by security firm Purplesec, the victims of cybercrime were up more than 600% in 2020 due to the pandemic.

Data security was a huge issue before COVID. And now it’s an even bigger problem because so many employees have been — and will continue to be — working from home. Home computers that are shared with other family members — particularly kids on social media — are not exactly the most secure environment.

Once a device is compromised, your network is compromised. If your network is compromised, your customer data can be breached or files locked down or stolen. The result: potential lawsuits and interruptions or even termination of your business.

So what can you do? Here are six things you need to do immediately.

1. Buy security software. There are plenty of good choices out there like Avast and MalwareBytes. But make sure this software is installed on all devices used by your employees, even their home devices. Better yet, hire an outside IT firm to monitor and ensure that the applications are updated.

2. Setup online backup. Make sure your databases — cloud or otherwise — are backed up multiple times per day. Use cloud services like Carbonite or IDrive. This way if you are attacked, you have the option to wipe everything clean and restore from your last good backup.

3. Get training. We need to be able to better identify “phishing” emails and other potential threats. The only way to do this is through regular training. Hire an IT firm to do this for your employees or consider using training software like KnowBe4, Infosec IQ, and Proofpoint.

4. Re-visit passwords. Require your employees to use password management software like Keeper, LastPass, or Dashlane and to create long, complicated passwords. Also, and most importantly, make sure there’s multi-factor authentication to access anything on your network. That way, your employees will have to use a combination of passwords and random codes generated by text messages. The best way to accomplish this is to talk to your IT firm or company hosting your data.

5. Update everyone’s operating systems. This could be the most important item on the list. Why? Because Microsoft, Apple, and Google — the top three makers of operating systems — frequently issue updates to their systems that include the most recent security protections. Unfortunately, people sometimes ignore these updates because they’re annoying. But don’t let this happen. Updates need to be required, and again, you may need the services of an IT firm to make sure this is being done.

6. Get cyber insurance. The sad fact is that none of the above actions are foolproof, and cybercriminals are always going to be one step ahead. So when all else fails, having protection for the liabilities — and potential business interruptions — caused by theft or fraud is your best bet.

These are the things that businesses are doing in 2024 to protect their data. And, as mentioned above, while none are foolproof, the more obstacles you put in the way of the cyber thieves, the higher the chance they’ll get frustrated and move on to easier pickings.

Oh, and my client who called the attacker’s customer service department? She’s fine. Although she did have another question a few days later and tried calling them again. Unfortunately, the number was disconnected. Go figure.

Next Steps: Want to learn more? Sign up for the Small Biz Ahead newsletter to receive a weekly roundup of the latest tools, trends, and resources.