An employee receives an email from his company’s CEO, or at least he thinks it’s the CEO. He clicks the email’s attachment, unknowingly downloading malicious software. Within minutes, the damaging code has locked the business’ system, rendering it useless until a ransom is paid to unlock it. This sounds like the makings of a TV crime show, but it's not. Ransomware attacks happen every day.

These types of cyberattacks are increasing in staggering numbers, yet 1 in 3 small businesses are clueless about ransomware and its devastating effects. Here’s what business leaders need to know:

What is Ransomware?

The first cases of ransomware were reported as far back as 2005. It was originally presented as antivirus software claiming a computer had issues that required payment in order to be fixed.

Download the free Ultimate Guide to Data Security.

Today it is known to be a type of malicious computer code that is usually executed on a business’ system, often through unsuspecting employees who are lured in by an infected link or phishing email. The code locks a computer or entire system, encrypts files so that they are unreadable, and demands a ransom payment in return for a decryption key which claims to return access to the downed system.

Why Small Businesses?

Cybersecurity often takes a backseat to business development for smaller organizations. In fact, many small business owners have never heard the term “ransomware.” And while these businesses may not provide a big payday for cybercriminals, a lack of training on workplace IT security best practices can make smaller companies vulnerable. A recent study found that only 30 percent of small businesses offer security training to their employees, compared to 58 percent of larger companies.

Create a Plan.

Taking proactive steps to create a data security plan can drastically reduce the likelihood that an attack will succeed. Our Ultimate Guide to Data Security offers many data security strategies, including these 4 best practices for effective employee training.

1. Be Specific - General topics are not as sticky as specific ones. So instead of email security, discuss phishing.
2. Be Relevant - Each message should be tailored to your specific group. In healthcare, discuss healthcare-specific issues. In financial services, discuss financial services-related topics. In manufacturing … well, you get the idea.
3. Be People-Oriented - Center the training not purely on concepts, but take those concepts and put them in the context of what your employees experience.
4. Be Consistent - Whatever your training schedule, stick to it. We find it beneficial to do a quarterly in-person training.