October is a scary month. Not because of Halloween but because it’s Cybersecurity Awareness Month and experts remind us the nature of the threat and how vulnerable organizations—especially small businesses—are. The question is, “What have you done about it?” Has your organization taken the prudent steps to train and educate your employees on recognizing and reporting phishing emails, scams, and other malware; conduct vulnerability tests on your websites; review and update cyber security policies and procedures; and assess your company’s compliance status based on National Institute of Standards and Technology (NIST) and U.S. Federal Cybersecurity Infrastructure Security Agency (CISA) criteria? It is vital that everyone, from the newest employee to C-suite executives, understands how vital it is to protect themselves, their teams, and their company from cyber threats. Keep in mind, it’s not just an operational imperative during October (Cybersecurity Awareness Month), but all year long.

Eighty-two percent of ransomware attacks target small and medium enterprises. [1]

MarCom Group’s Chief Communications Officer, retired Brig. Gen. Les Kodlick has seen first-hand the impact cyber criminals have on organizations, large and small. Interestingly enough, small organizations often assume their size, and modest revenue makes them a less attractive target to hackers compared to multimillion-dollar corporations. The fact is large corporations have more resources to invest in protecting their critical digital infrastructure than smaller businesses.

“The monetary value of ransom demands has increased, with some demands exceeding $1 million.” [2]

One single ransomware attack could jeopardize a small business’s ability to operate and survive. Compared to the potential cost of a ransomware attack, the investment of time to train, commit resources, and secure digital systems are among the smartest investments an organization can make.

Recently, Kodlick was invited to speak at a statewide conference where he walked attendees through the steps for crisis preparedness, including a ransomware attack. We share his experience and expertise with you because we believe as a small business that it is important to protect our fellow small businesses. By following these seven steps, you will be better prepared for crises that come your way.

Step One: Recognize the crucial role of leadership

It is easy to understand why most companies don’t prepare for crises. It takes time, resources, and commitment. With the pressure and demand of day-to-day operations, it can be challenging to set aside time to focus on crisis preparation, especially when you don’t see an immediate return on investment. Leaders should think of it like home insurance: pay the mortgage, then pay the insurance to protect your investment. That way, when crisis hits—and it will—your organization will be better off. Leaders set the tone, communicate the importance of preparation, and commit to doing what’s right.

Phil Harmon, MarCom Group’s Principal Solutions Architect, strongly recommends cybersecurity awareness and action come from the top of an organization’s hierarchy. Leadership needs to prioritize and invest in efforts that protect the organization. He cites Change Management Processes and Procedures as the top action leaders should focus on to mitigate risk.

Step Two: Conduct a risk assessment

Identify external and internal risks. Identify the most likely and worst-case scenarios for your industry. Learn from other organizations’ experiences and apply those lessons. When it comes to cybersecurity, your team should examine vulnerabilities in your digital systems and infrastructure. Do you have sound security protocols to keep your data secure? Do you have redundant systems and backup protocols to help protect against loss? Do your employees receive annual and periodic training to keep up with the ever-changing threat?

Examine the organization’s culture. Assess how your company culture may pose risks. Do executives lead by example, following company policies and procedures, or do they cut corners? Do managers pressure employees to ‘get the job done no matter what it takes?’ Do you regularly change passwords and access codes, especially when key employees leave? Are you diligent about issuing company equipment to help maintain system integrity, and have strict processes and access procedures when employees use their personal devices?

“Social engineering is a popular method for penetrating infrastructure. Train your employees to know how to reduce exposure by not connecting to public Wi-Fi, keeping track of their equipment to prevent physical theft, and assessing emails for possible phishing attempts. Repeat these preventative methods, so they become engrained in your employee’s minds and second nature to their remote working culture.” – Phil Harmon

Step Three: Execute deliberate planning

Develop likely scenarios. Now that you identified the most likely crises, outline how things might unfold and how your team will respond. Carefully think through all the possible variables, including who might be affected (consider your key stakeholders). Draft your plan, create a backup plan…and a backup plan to that. Prepare for the unexpected and build in flexibility.

Identify and commit resources. What resources are needed to effectively respond to the situation? In addition to your core team of trained professionals, what outside experts might you need? Do you have 24/7 contact information for your key staff, suppliers, sub-contractors, authorities, and more? Do you have contract mechanisms in place that can be executed in a matter of hours? What supplies and equipment might you need? Finally, think back to the homeowner’s insurance policy analogy and build these requirements into your annual budget.

Step Four: Practice your plans

Deliberately schedule. We’re all busy, and it seems like there is never a “good” time to practice crisis response. All too often, it seems we deprioritize overhead efforts. If you schedule time to practice your plans well in advance, it will help ensure accountability and follow-through.

Harmon advises that organizations “Conduct penetration tests to identify where those vulnerabilities are. Often times leadership teams believe this is a one-and-done solution, but you can’t just do it once. You must assess for vulnerabilities regularly.”

Host tabletop exercises. It’s just like it sounds: talk through a scenario, such as a ransomware attack, with your team over a conference table. Discuss each step and the “why” behind it. Tabletops are a cost-effective, time-saving approach to practicing crisis response. And it will leave your team feeling more informed and better trained to handle crises when they arise.

Conduct dress rehearsals. To borrow a phrase from Broadway, these are the full-up, rally-the-resources, and actually walk through the steps of your entire crisis response plan. Dress rehearsals follow tabletop sessions and are best for those worst-case and most-likely scenarios you planned for. The realism will provide your team with a no-risk learning environment where questions can be asked, research can be conducted, and revisions can be made.

Review plans annually. Annual reviews ensure crisis plans are current and serve as a good refresher for your team. It also helps bring new team members into the fold.

Step Five: Identify your response team

Select your “A-Team” for the crisis. Your day-to-day leadership team works well under “normal” circumstances. However, are they the right leaders during a crisis? Start by identifying what functions must be part of your core team—e.g., operations, legal, communication, information technology, human resources, and logistics. From there, think through what other departments and expertise you might need depending on the situation.

“The very first thing a company should invest in is talent that has a proven record in the industry. They don’t have to be in-house talent. Based on the scope of your needs, you can outsource to contractors or other vendors who can test or patch your digital infrastructure. When looking for the right person for this job, find someone who knows how hackers think because that skillset will better protect your company. You have to have a good defense.” – Phil Harmon

Pick the right person for the right job. Then, conduct a candid assessment. In addition to their areas of expertise, which team members also possess the soft skills needed in times of crisis? Do they have the right skills, demeanor, and attitude? Are they calm and composed under pressure? Are they comfortable making decisions with incomplete information under intense deadlines? Are they the type of people your staff will believe and follow during difficult times? You need a team of composed, calm professionals who are comfortable under pressure and can think on their feet.

Train the task. Incorporate your crisis training into the day-to-day. Look for opportunities to send team members to public speaking, media training, and leadership courses in addition to obtaining certifications within their discipline. Investing in your people not only makes them better at their jobs, but research shows it also increases employee retention.

Build relationships. Building relationships and gaining trust takes time. Be deliberate in your outreach efforts with key stakeholders, including regulators, local authorities, the news media, and even special interest groups. Who would you contact for help during a cyberattack: law enforcement, the local FBI office, outside experts? Get to know these people and how to reach them. You don’t want to be searching for a phone number or meet that business reporter for the first time in the midst of a crisis. Moreover, these groups can be some of your strongest advocates when you need them most.

Step Six: Communicate rapidly

Gather information. What do you know to be true? First reports are almost always wrong, so you must be deliberate in using multiple sources and cross-checking information. In the cybersecurity scenario, have you confirmed the threat is real? What are the experts saying? What are the forensics telling you? Importantly, understand the timeline of a crisis.

Be first with the facts. 60 minutes. That’s all the time you have to be first with the facts once news breaks about the incident! While you won’t know everything, carefully assess and share what you do know with employees (first!) and then other stakeholders. There’s a saying, “If you don’t speak for your organization, somebody else will, and chances are you won’t like their version as much.”

Communicate with key stakeholders. Commit to keeping them informed—and do it! Consider creating a “template” release—a fill-in-the-blank form that captures essential information about the situation. Update it often and use it. Remember: keep communications clear, concise, and consistent.

Step Seven: Be ready to respond and rebuild

Preparing for crises takes time, energy, and resources. Look at it this way: crisis prep is an investment in your people, your reputation, and your organization’s future. History shows us that organizations that do prepare are much better off when a crisis hits. Engage stakeholders early and often, keep them informed, follow through on your commitments, and work hard to regain people’s trust and confidence.

Be that small business that beats the odds: has current policies and procedures, invests in and trains their staff, has formidable practices and defenses, is prepared for crises, and deters potential cyberattacks.

 

[1] https://tech.co/news/82-of-ransomware-attacks-target-small-businesses-report-reveal

[2] https://www.cisa.gov/stopransomware/ransomware-faqs