Cybersecurity: Disaster Recovery Planning to Protect Your Business from Ransomware
What is a cyber crisis & how can a small business stay prepared?
Ransomware attacks against small businesses are running rampant. Nearly half (43%) of all cyber attacks now target organizations with 250 employees or fewer. Reports also suggest there’s a one-in-two chance your small business will be hit with some form of cyberattack in the next 12 months. In fact, one in five small businesses have already been hit with ransomware.
What is a cyber crisis?
A cyber crisis is when a cybercriminal places ransomware on your website or files and holds your information and data until you pay a ransom. When ransomware hits, the average small business experiences two full days of downtime. They pay anywhere from a few thousand to tens of thousands of dollars to get their data back. One-third of them lose actual revenue, and all of them experience brand and loyalty damage that’s much harder to quantify and recover from.
Unfortunately, while most small businesses end up paying the ransom, that doesn’t guarantee anything. Plenty of businesses have fully complied with the ransom demands, only to have the hacker increase the ransom request—or simply take off with the ransom and your data. It’s no wonder, then, that 41% of surveyed small business customers find that ransomware, phishing attacks, and other viruses are the top threat to their business data.
Why does my small business need a cybersecurity and disaster recovery plan?
One click can unlock the doors to your business data
Cyberattacks increasingly target small businesses. Cybercriminals know smaller organizations have fewer resources to dedicate to data security, making them an easier target. Compromising just one user often grants the hacker the “keys to the castle.”
With a seemingly harmless click on a link or email attachment, ransomware quickly and silently installs on a victim’s device and mounts an extortion attack, demanding a ransom in return for access to their data. And if that user is connected to a cloud collaboration tool, such as Google Drive, OneDrive or Dropbox, the virus can spread to the rest of the organization in minutes. Now the whole company is in trouble.
What do I need to start cyber recovery planning for my small business?
Don’t wait for a disaster to happen – start a cyberattack recovery plan
Many small businesses may not see the importance of a disaster recovery plan until it’s too late. Their data gets compromised, their customers are now vulnerable, and money goes down the drain – next thing you know, their doors may be closing.
Protect your business and its critical data by starting a disaster recovery plan that:
- Has a clear owner
- Involves many partners from across the business
- Is simple to execute
- Leverages a comprehensive, multilayered approach
- Is regularly practiced and continuously updated
Steps to creating a disaster recovery plan
If you’re still wondering about cyber crisis management plans, or how disaster recovery ties into it, use our 10 guidelines below. These steps will help you establish a disaster recovery and cybersecurity plan while taking into account the key points bulleted above.
1. Establish an owner
While the expectation of protecting the business from cyberattacks often falls on the IT department. In a small business, however, this department may already be contracted out or too busy with other issues to take this head-on.
This means it will be important for you to identify someone in the organization who can own the development of the disaster recovery and cybersecurity planning. This person should be organized, comfortable collaborating with people across the organization, and able to add creation, review, and maintenance of the plan as a core responsibility of their job. Business leaders and managers must also support this person’s work in order for it to get the attention it needs from the rest of the organization.
2. Identify representatives from each area of the business
Creating a plan that impacts the entire business will require input from every area of the business. Here’s how to put this step into action:
- As a group, identify which tools and data are most critical for each team to do their work, and then document who has access to those tools and data.
- These documents will need to be updated as employees come and go, or move within the organization. This will require clear and crucial communication between team leads.
- These people will also participate in table-top exercises that will allow your business to practice “what if” scenarios and will test your plan before you actually need it. Make sure to include off-hour contact information for everyone on the team in case an incident occurs outside of normal working hours.
3. Document your risks
Small business risks could include a multitude of events: natural disasters, a vendor or business partner shutting down, a ransomware attack, or simply an unfortunate user error.
This is where the full team can help brainstorm the possibilities:
- What if a supplier goes out of business?
- What if a disgruntled employee deletes a bunch of data before walking out the door?
- What if our office closed down after a hurricane?
Talking through what steps you would need to take to recover from each of these will quickly identify actions to mitigate those risks and what the priority should be.
4. Specify which data, technologies, and tools are most critical
Each department has data and systems they need to function. Accounting needs access to payroll data, developers need their code repository, sales needs their customer lists, fulfillment needs order information, etc.
While all of these systems and technologies are important, in the event of a disaster, you can’t fix everything at once. The disaster recovery team should determine the amount of time the business can reasonably survive without that system or technology, who “owns” that system, and who will be responsible for restoring it. All of this information should be added to your disaster recovery document in step 3.
5. Maintain an inventory of physical assets
Ensure that you keep an updated list of all of the equipment your business uses on a day-to-day basis. This includes not only computers, servers, printers, phones, and network hardware, but other equipment such as office furniture, product inventory, shipping supplies, etc.
As you are creating this list, ask yourself: What would I need to go buy if I had to rapidly set up a new office location somewhere else? And don’t forget to contact your insurance company as you are developing your list. They will help you understand what specifically you need to track and how they can help you get up and running post-disaster.
6. Determine where and how critical business information will be backed up
Around 60 percent of all small business data lives on desktops and laptops. If you want to ensure every important file is covered, then you need a backup solution that includes the following features:
- Protection for every computer – Around 60 percent of all small business data lives on desktops and laptops. If you want to ensure critical data is covered, then you need a solution that automatically protects data on every laptop and desktop.
- Taps the benefits of cloud backup – The cloud enables leading data backup providers to offer unlimited protection. It also provides fast and simple user-driven recovery of important information.
- Runs automatically – Your data backup solution should run silently and automatically in the background without requiring any action by users or impeding their productivity.
- Prioritizes easy recovery – You should be able to specify a point-in-time for your restore and recover your files to any device, without needing a VPN connection.
7. Create a communication plan
When disaster strikes during off-hours, how will you notify employees? Should they report to the office that day? Should they work remotely or an alternate office location? How will customers and vendor partners be notified? Who should handle questions from the media? Where will you store/update contact information for each of these groups?
Not every disaster will merit communication with every constituency, but you should make a plan for identifying how and when these communications will occur as well as who owns that work.
8. Practice! Practice! Practice!
Have you heard the term “table top exercise” before? It simply refers to your disaster recovery team sitting around a table and discussing, in detail, how the company will respond to various given scenarios from your list of possible risks.
Here’s an example:
Imagine an employee clicked on a link in an email that appeared to be legitimate — it turns out it was a phishing attack, and now every computer in your company is locked. And no surprise — the hackers are demanding a ransom. Let the team then talk through what they would do!
There will inevitably be questions that come up about which systems are available, who needs to be involved in addressing it, and who needs to be notified. All of these questions will give you an opportunity to put plans and answers in place so that you aren’t left scrambling when the incident occurs. The more you practice, the better the team gets and the more prepared you will be.
Get started now on an effective disaster recovery and cybersecurity plan now
Planning for a disaster is really easy to put off for some future date for “when you have time”; especially when there is more than enough work to do today just running your business.
Unfortunately, disasters and hackers don’t care if you are ready or not. Take time now to get things in motion that will save you time – and save your business – in the future.
Learn more about our disaster recovery and cybersecurity protection software, CrashPlan — to see how it can keep your business up and running when disaster strikes!