A client of mine was hit with ransomware recently. Do you know what ransomware is?
It’s an application that is inadvertently downloaded and immediately searches out and encrypts all the files on a computer or server. And there’s no way to decrypt the files, except for paying a “ransom” (in my client’s case it was $250) to someone on the far reaches of the dark web via bitcoin to get a “key” that maybe will decrypt the data. Maybe.
That’s what the client did. Luckily, it worked.
Another client of mine was infected by malware that didn’t bother to ask for a ransom. Instead it just went straight to their server and destroyed everything on it. Unfortunately, their backups were a week old. They’re still trying to figure out what data were lost.
A third client of mine had a data breach. A hacker got into their server and stole a bunch of credit card numbers stored in their accounting system. By the time the hack was uncovered, the thief was long gone and for weeks after my client had to suffer through the pain of explaining this to their customers. No lawsuits have been filed against them. Yet.
This happens all the time. And the frequency is increasing. Employees lose laptops with company information. Websites get hacked so that visitors are tricked into visiting other sites. Phishing scams open up the door to infections and viruses.
Could better software have stopped this from happening? Nope. In all three of my client cases, software wasn’t even the problem. The problem was people.
The ransomware was downloaded by someone in my first client’s company who mistakenly launched an unknown file. The malware attack at my secondclient’s company came from a fake website that an employee accidentally browsed. The data breach occurred at the third company because no one had updated their security software for over a year.
The number one cause of data breaches is employee error. At least that’s what a survey from the Association of Corporate Counsel concluded in December 2015. According to a Wall Street Journal article, a report, which contained survey responses from more than 1,000 in-house lawyers in 30 countries, found that 30% of breaches this year occurred as a result of employee error. Another report from CompTIA concluded that human error accounts for as much as 52 percent of the root causes of security breaches and that “employees are a significant factor in the majority of data breaches.”
“You can’t blame users for not doing what you want if you don’t explain it in the first place,” wrote IT World editor Kevin Fogerty back in 2012, “and you can’t blame them much if you don’t show them how a few precautions can benefit them and not just some dour security dictator (sic).” Translation: When your systems get breached, infected or invaded, it’s usually because your employees caused it. And your employees caused it because you didn’t train them.
Want to reduce your exposure? Spend a little. Not just on software, but on training. Bring in your IT firm and have them review proper data security practices with each employee. Draw up a manual and update your policies. Then, in six months … do it again. That’s because things change. There might be new cyber-threats and new employees that weren’t around for the previous training. Budget for semi-annual IT security training. It may cost you a couple of thousand bucks a year. But it will save you many times that in costs related to downtime, lawsuits, bad PR and loss of business.
You can start protecting your business by reading Small Biz Ahead’s free, new eBook: How to Safeguard Your Small Business from Data Breaches. This eBook will teach you how to create your own data breach security policy, train employees and respond to breaches. Most important, it provides a list of the most common security threats you need to prepare your business against and the habits you and your employees may have that leave your business exposed to a breach. The eBook is free and available for instant download, so start reading today and learn how you can help protect your business from a data breach.