Subscribe and download our eBook, "Innovative Ideas for Surviving a Recession and Avoiding Problems in Your Small Business."

Get the:

Protecting Company Information

Protecting Your Company Information from Ransomware and Other Attacks

Protecting Company InformationYour company information is vital. This information includes financial data, trade secrets, confidential employee and customer information, and more. Recent well publicized ransomware attacks show the vulnerability of just about everyone. Harvard Business Review said ransomware attacks were up 150% in 2020 and are up even higher this year.

Recognize where attacks may come from

It’s been reported that the most recent big ransomware attacks—Colonial Pipeline, JBS (the world’s largest meatpackers), and the DC Metropolitan Police Department—were done by Russian-based hacking groups (not the same in all cases). So it’s clear that attacks may be from external bad people.

But attacks may come from internal sources. Employees with access to company information may make company information vulnerable or even intentionally breach confidentiality.

Actions to protect company information

Some experts pessimistically say it’s not a question of if, but when, your small business will suffer hacking. This may be from external or internal sources.

Protection from external attacks. Actions routinely recommended include the following actions. Doing them doesn’t guarantee 100% against hacking, but goes a long way toward protection:

  • Backup procedures. Use automated backup to store data in the cloud. However, you don’t have to back up data that’s already in the cloud (e.g., QuickBooks Online).
  • Antivirus software. Norton or other similar products do catch some malware attacks before they invade your data.
  • Password protection. Consider requiring 2-factor authentication for access to company computers. (There’s information about this at Authy. This is especially helpful if laptops with access to company data are lost or stolen.

You might also want to carry insurance to protect you in case of a cyber attack. Be sure you understand the protection you’re paying for. For example, The Hartford offers two types of coverage: cyber liability insurance (recommended by this insurer for larger companies) and data breach insurance (recommended by this insurer for small businesses). The protection is different:

  • Cyber liability insurance provides money to pay for ransomware, pursue privacy investigations and lawsuits following an attack, and lost income during a network outage. It also covers the cost of regulatory fines that may be imposed by government, notification expenses for data breach victims (e.g., employees, customers, clients).
  • Data breach insurance helps you notify employees, customers, and clients affected by a data breach, hire a public relations firm to address the breach’s impact on your company reputation, and pay for credit monitoring services to data breach victims. It may include extra coverage for ransomware.

Protection from internal attacks. The same actions may be used to protect against internal attacks. But you may need to do more. Most employers require employees to sign confidentiality agreements to protect trade secrets and other company information.

When employees obtain this information by accessing a company computer, can the Computer Fraud and Abuse Act (CFAA) be used to bring criminal charges against an employee? This law makes it illegal “to access a computer without authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter.”

Recently, the U.S. Supreme Court made it clear that CFAA should be narrowly applied. If an employer gives unlimited access to an employee, the use of the information isn’t what matters; this employee has authorization. The statute applies only where an individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases— that are off-limits to him. The lesson: Limit employee access to certain company files if that is your intent.

Final thought

Be sure you have an IT expert in your contact list to help address any attacks. When you experience a problem is not the time to be searching for this professional assistance.