How to Protect Your Metalworking Business From Cyber Extortion 

PROFIT MASTERY COLUMN

BY DAN ZASTAVA

We often take for granted how much we depend on technology. As such an integral part of our day-to-day routine, what if access to the data your company relies on — customer accounts, software programs, payment information, or inventory — were cut off?

Here’s a potential scenario. Let’s say your business offers customers access to a proprietary system to help track preventative maintenance for their machinery. Suddenly, customers begin calling, saying they can’t access their information.

You find out an employee had clicked on a malicious email attachment that appeared to be from a legitimate customer. That action unleashed a ransomware attack that encrypted your company’s systems and data, with the hacker demanding $125,000 to release the files. To make matters worse, the ransomware has rendered your own machinery and equipment inoperable, bringing production to a halt.

A preventative cybersecurity plan would have helped identify the steps needed to mitigate damages. However, because you don’t have one, managers didn’t know what to do or who to contact and wasted hours of valuable time. Your company also didn’t have insurance, which would have provided financial relief from the revenue lost during the resulting downtime.

As a result, you pay the hacker out of your own pocket to decrypt the data and program files. In addition to your reputation potentially taking a hit, you’ll also have to deal with tough customer questions about your data security in the months ahead.

Forewarned Is Forearmed: Cyber Hygiene is the First Step

Fortunately, you can do things to protect your business and your customers’ valuable information, such as:

Identify sensitive data: Look for Social Security and driver’s license numbers, and proprietary information unique to your business, as well as any health and financial information.

Note where it’s located: Identify whether it’s electronic or paper copy, how it’s used, and whether you need it for your business.

Back up data: Ensure any data critical to your company’s existence is secured and copied to a separate storage site, such as offline or with a reliable cloud solution.

Ask an expert: Have a security expert check your software and hardware systems for strong encryption and authorization protocols.

Check your settings: Implement firewall settings to counteract malicious IP addresses.

Immunize your system: Make sure your antivirus package is up to date and able to block attacks.

Educate employees: Teach workers to recognize and delete potential “phishing” scam emails and malicious email attachments.

Strengthen passwords: Require strong user passwords and regular resets to reinforce security.

Avoid future problems: Scan your database to make sure other malware hasn’t been attached that could allow future attacks.

Extra Protection In The Event Of…

Even with proactive security measures, the unexpected can still happen—leaving your business with difficult costs to manage. That’s why in-house preventive measures are best combined with some form of insurance.

While most of your conversations concerning insurance have probably focused on equipment breakdowns, product liabilities, and workers compensation, consider checking if cyber liability coverage is an option for your business. Although exact coverages will depend on the carrier, in general the coverage can help if your business experiences a cyberattack from a third-party hacker. Common coverages include:

• Cyber extortion
• Phishing, or social engineered attacks
• Fraudulent impersonation attacks
• The physical loss of sensitive information
• Information security and privacy liability
• Business interruption
• Website media content liability
• Payment card industry (PCI) fines
• First-party data re-creation

Incorporating cyber liability coverages can also help with costs beyond data and revenue lost in an attack. In some cases, your policy may help cover public relations expenses or legal fees for hiring an attorney to ensure your business properly contacts individuals whose personally identifiable information was exposed. The latter is important because notification requirements vary based on the state in which the individual resides, not your company’s headquarters.

There’s no substitute for preparation and awareness when it comes to cybersecurity. By keeping your team informed and trained, you can better protect your operations and data from hackers. However, consider asking your insurer or lawyer to help quantify the cost of cyber liability coverage versus potential damages and identify a cyber protection and security plan unique to your operations. The potential savings could be immense.