SALT LAKE CITY — For weeks, Peggy Larsen woke up each morning feeling like she was going to throw up.
Months prior, an employee at the company where Larsen worked had informed them that someone had broken into his garage and stolen an $8,000 bike and a laptop.
The laptop contained the personal information of 300 company customers — including Social Security numbers and credit card information.
As the public relations personnel of the billion-dollar company, it was Larsen’s job to personally reach out to each customer and explain what had happened.
“I wanted to quit my job,” she said. “It was horrible.”
But the months of anguish did impress upon Larsen something valuable. While the company had not had a plan in place for a possible security breach prior to the burglary, shoring up the company’s cybersecurity soon became a top priority.
“It’s not a matter of if, but when,” Larsen said of company cyberattacks during her speech at the Salt Lake Chamber’s Cybersecurity Conference in Salt Lake City Thursday.
While many large businesses have some sort of cybersecurity strategy in place, many small- and medium-sized businesses do not, she said. And 60 percent of small businesses fail in six months after a cyberattack.
“It’s something everybody’s gotta be thinking about now. If you don’t, it’s really going to come back to hurt you later,” said Jeffrey Collins, supervisory special agent with the Federal Bureau Investigation.
While securing a business from cyberattacks can be a lengthy and expensive process, here are four tips from the Salt Lake Chamber Cybersecurity Council to help keep your business safe:
1. Timely patching
In March 2017, Apache Struts, a web application framework used by thousands of companies, revealed a security flaw and issued a patch. The company then encouraged organizations using its software to update their systems to apply the patch.
Equifax, an enormous credit reporting agency, did not apply the update. Soon, attackers compromised the company’s network using the Apache Struts security flaw. Months later, Equifax noticed suspicious traffic and took the website offline to patch the vulnerability.
After some investigation, Equifax announced that 143 million records were stolen because of the breach. In the following weeks, Equifax’s stock dropped from $142 per share to $93, and the chief information officer and chief security officer both retired, followed closely by the company’s CEO.
The lesson? Keep an active inventory of the software and systems your business uses, then quickly update those systems when critical security updates become available. Train your employees to do the same.
2. Data backup
Ransomware is quickly becoming a hacker’s best friend. All an attacker needs to do is convince someone to click on a link or open an attachment, and the hidden malware can quickly take over a computer and encrypt its data, offering to decrypt it for a fee.
Over the course of a year, small and medium businesses paid $301 million in ransoms for data, according to the Salt Lake Chamber Cybersecurity Council.
To protect your business, identify all the information critical to your company and back it up on an external drive, network drive or onto the cloud. For extra security, backup the information in several different places. Regularly update and test the backups.
If the data on the computer is backed up somewhere, the ransomware has no power. It cannot steal the data, only encrypt it.
3. Train your employees to look out for email and phishing attacks
Hackers are also adept at exploiting human nature.
The Business Email Compromise (BEC) is a common tool in an attacker’s belt, and hackers will often send an email with an address similar enough to that of a company employee to escape the attention of the person who received the email.
For example, if the company email is @ksl.com, a hacker might send an email from the address @ks1.com. An employee quickly scanning through emails might not notice the difference.
The email may request a wire transfer of money or involve phishing or infected documents where the target is prompted to enter their email username and password. Upon hitting submit, the information is sent to the attackers.
Train your employees to look out for suspicious emails and make sure they check the addresses of any suspicious emails before submitting information.
4. Develop a data breach response plan
Despite your best efforts, a security breach may still happen. Be ready for it when it does.
A data breach response plan should be a document that’s reviewed and updated at least yearly. Don’t let it sit in a binder gathering dust as employee roles shift and information systems change over time.
In the event of a breach, determine who should be contacted within the company, who will make the decision to contact remediation services or law enforcement and who will contact customers.
Keep contact information for legal representation, law enforcement, public relations firms and incident response companies readily accessible. In the event of an attack, report the incident to the Statewide Information & Analysis Center.
“Cybersecurity has to be a top-down approach,” said Anders Erickson, director of cybersecurity services at Eide Bailly.
“When you talk about understanding risks as an organization, it cannot be the IT group who is identifying and trying to manage these risks. It has to be leadership at the top understanding … cybersecurity risks and being able to enact the initiatives, the policies that create a culture within the organization where cybersecurity is an important aspect of how you do business.”
We're sorry, currently this live video stream is only available inside of Utah or an approved RSL broadcast territory.
We base your location on your IP address. Some providers IP addresses may show your location outside of the state, even though you are physically within the state boundaries. For more information about RSL on KSL, please see our FAQ.