About a week ago our IT supplier sent an e-mail to everyone on my staff warning them about a computer virus. It certainly was not the first such notice we have gotten, but it was by far one of the scariest. The virus is called Crypto Locker and is a ransom ware virus. Once on your computer it encrypts your files and demands $100-$300, or more, in order to decrypt them. The payment is due in 100 hours. The hackers are literally holding businesses and individuals hostage because the only way to get your files back is versioned backups (which we all know we forget to do on a regular basis.) The files cannot be decrypted without the exact key from the virus writer.
The news about the virus is everywhere so you can read more about it but it made me stop to consider some larger issues. What kind of resources should small businesses like mine have in place? Even with those resources, how do you educate your staff so that they don’t make that one fateful click that costs you time and money?
I don’t know of anyone that can survive without a “techie” at a time when cyber-security is so critical. The big question, especially for small and medium size businesses, is should that person or staff be on your payroll or do you buy the talent you need? I have done both. For a number of years I had someone on staff. While it was comforting to think we had it covered, the truth is that he was not that skilled. Let’s face it the great talent is usually working for a larger company or an IT firm where they get paid much more. I did a lot of research and decided to outsource that function. It was interesting how many companies wanted to give me a rate for “block dollars.” You pre-pay for a certain number of hours and call them when needed- think virus! One company took a very different approach. They wanted to do an audit of our equipment, software and systems and then provide us with a detailed plan for how to be strategic about our technology needs. That is the company I selected and to this day they have helped protect our systems and information. Having an outside source that stays current is one way to reduce the risk. That brings me to the second issue. Even the best outside resource can’t protect you from the employee that is not aware of how their actions can affect the company. Every business needs to have an IT policy.
In this area, I have done a number of things. First, our employee handbook, crafted with the help of our attorney, lays out some general policies which govern the use of e-mail systems, the Internet, the telephone, voicemail and all other communication systems in the workplace. That’s a good start but you also need the practical day-to-day guidelines. You can find a wide variety of information by just searching “IT policy templates.” Some are free others are not. But, don’t just cut and paste because everyone’s operation is unique. Craft something that works for you and if you have an outside IT firm, ask them to help you. They know your operation and can provide a great sounding board.
Bottom line is this. While the Crypto Locker virus is in the news today, tomorrow it will be something else. A little time and attention to putting resources in place and consistently educating our employees will go a long way toward protecting our businesses.