Hacked? Here's the First Call You Should Make

Falling victim to a hack or ransomware attack is a nightmare scenario for business owners. For small businesses, it can be financially devastating--not to mention the stress, disruption to normal operations, and hit to your reputation. And, unfortunately, attacks are only becoming more common. San Francisco-based cyber-risk and insurance firm Resilience crunched the numbers and found that 48 percent of all claims it processed in 2023 were related to ransomware, and many attacks start with human error, such as clicking on a malicious link. Companies in wholesale, health care, construction, and transportation were frequent targets, according to a report released by Resilience on Tuesday. What's more, mergers and acquisitions can be a precarious time, as companies are exposed to each other's existing vulnerabilities, and new weaknesses can crop up as the systems integrate--something made clear by the ransomware attack on Change Healthcare soon after it was acquired by United. Resilience is also seeing a spike in claims related to products from third-party vendors, and notes that the dominance of a few key vendors will likely result in more supersize outages and hacks as intruders focus their efforts on a few common systems. For example, earlier this year Ticketmaster, Santander Bank, and others had data compromised after hackers accessed their Snowflake cloud storage systems. (Last month's CrowdStrike-linked outages, which were caused by a faulty software update and not an attack, are another example of the kind of chaos that can ensue when there's an issue with a widely used service.) Resilience co-founder and CEO Vishaal Hariprasad, a former Air Force cyber operations officer, spoke to Inc. about the first steps business owners should take if they're subject to a ransomware attack or another business intrusion. While it's best to have an action plan ready in advance, quick thinking can help mitigate the damage. "Every company of any size is a tech company directly or indirectly," says Hariprasad, who adds that hackers will often leverage small companies to access larger companies they do business with. "Especially on the [small or medium-size business] side, a small outage could become very material very fast." Step 1: Get on the Phone If you have cybersecurity insurance, phone the claims hotline right away. "Their claims person should literally be the quarterback for their next steps," says Hariprasad. The insurance company should be able to provide resources, contacts, and advice--and it's in the insurer's best interest to make sure you recover as quickly as possible. If you don't have cyber insurance, there are incident management companies that you can call. Otherwise, if you use an outside vendor for IT services, that should be your first call. Many companies spend too much time trying to clean things up in-house. Or they call law enforcement first, hoping for an immediate incident response and recovery--something authorities are generally not equipped to provide. In most cases, a call to the police or FBI should be the third or fourth call a company makes. "The mistake most people make is that they reverse that order," says Hariprasad. Step 2: Cut Off Access About a decade ago, if a company faced a virus or a breach, the advice might be to run around unplugging computers to keep an issue from spreading. That no longer works in the era of cloud computing and connected systems, but what you can do is cut off access to systems you can still access as soon as possible. "Once they're in, the attacker is going to move as fast as they can to the crown jewels," says Hariprasad. Start with the systems that are most critical to your business or that hold sensitive information--an attacker will likely go after those first so you're more compelled to pay a ransom--and work your way down the line. For small businesses, customer databases in HubSpot CRM or Salesforce might be some of the first things to lock down. Cut off administrator access for any email addresses that have been compromised and change the admin passwords for other accounts. Many common software suites offer options to lock down a system until an incident is resolved, including preventing new accounts from being created and preventing data from being exported.