How to Protect your Business from Ransomware Attacks

Here at Lightcap Financial Group we work with business owners on a variety of business planning and financial planning projects which often explore possible pain points, like possible technology failures. Because we work with a variety of businesses, we come across some interesting cyber security issues. Ransomware attacks are a cyber security vulnerability for a company that managers or controls sensitive client data.  We take this seriously and so should you.

Recently the education software company Canvas, was held hostage in a ransomware incident. It is easy to assume only large organizations are attractive targets. In reality, small and midsize businesses are often more vulnerable because they rely on lean teams, shared cloud tools, outside vendors, and remote access systems that may not receive constant security attention.  

Ransomware is not just a technical problem; it is a business continuity risk that can stop operations, expose customer data, damage trust, and create expensive recovery costs. 

So, what can you do to minimize the threat of a ransomware attack on your company?

Begin by reducing the chances that attackers get in.  

  1. Require multi-factor authentication for email, financial systems, remote access, cloud applications, and administrator accounts.  

  2. Use strong, unique passwords and a password manager so employees do not reuse credentials across personal and work accounts.  

  3. Keep operating systems, browsers, business applications, and security tools updated automatically whenever possible, because ransomware groups frequently exploit known vulnerabilities that already have patches available. 

Next, protect your data before you need it.  

  1. Back up critical files regularly using the 3-2-1 rule: keep three copies of important data, on two different types of storage, with one copy offline or otherwise isolated from your network.  

  2. Test those backups, too. A backup that has never been restored is only a hope, not a recovery plan.  

  3. Limit access to sensitive files so employees can only reach what they need for their roles. If one account is compromised, this reduces the amount of damage an attacker can do. 

Employee awareness also matters. Many ransomware attacks begin with phishing emails, fake invoices, malicious links, or stolen login credentials.  

  1. Train staff to pause before opening unexpected attachments, verify payment or account-change requests through a second channel, and report suspicious messages quickly. 

  2. Make reporting easy and encourage early-reporting; employees are more likely to speak up when they know they can remedy or mitigate a mistake quickly. 

Businesses should also prepare for the moment something goes wrong.  

  1. Create a simple incident response plan that lists who to call, how to disconnect affected systems, how to communicate with customers, and how to contact legal counsel, cyber insurance, law enforcement, and IT support.  

  2. Store a copy of the plan somewhere accessible even if your network is down.  

  3. Run a tabletop exercise at least once a year so the team can practice decisions before they face a real crisis. 

Finally, do not overlook vendors. The Canvas ransomware attack showed how disruption at one widely used platform can ripple across thousands of organizations. Ask vendors about their security practices, breach notification process, backup strategy, and use of multi-factor authentication. For essential services, know what your fallback process will be if that provider is unavailable for a day, a week, or longer. 

Companies that handle sensitive client data should also review their insurance coverage before an incident occurs. Cyber liability insurance may help cover costs such as forensic investigation, legal guidance, client notification, credit monitoring, business interruption, data restoration, and certain ransomware-related response expenses. However, coverage varies widely, and insurers may require proof of basic security controls such as multi-factor authentication, regular backups, employee training, and documented incident response procedures. Business owners should work with a qualified insurance professional and legal counsel to understand exclusions, reporting deadlines, coverage limits, and whether third-party vendor incidents are included. 

Ransomware protection does not require perfection. It requires disciplined basics, clear ownership, and regular practice. Start with the highest-risk systems, make security part of everyday operations, and review your plan whenever your business adds new software, vendors, or remote workers. The best time to prepare is before an attacker tests your defenses.

Resources: 

Federal Trade Commission Cybersecurity for Small Business: plain-language training materials on ransomware, phishing, backups, passwords, and vendor security. 

https://www.ftc.gov/business-guidance/small-businesses/cybersecurity

National Institute of Standards and Technology, Small Business Cybersecurity Corner: Free Cybersecurity resources designed for smaller organizations. 

https://www.nist.gov/itl/smallbusinesscyber

This commentary reflects the personal opinions, viewpoints and analyses of the Lightcap Financial Group, LLC employees providing such comments, and should not be regarded as a description of advisory services provided by Lightcap Financial Group, LLC or performance returns of any Lightcap Financial Group, LLC client. The views reflected in the commentary are subject to change at any time without notice. Nothing in this commentary constitutes investment advice, performance data or any recommendation that any particular security, portfolio of securities, transaction or investment strategy is suitable for any specific person. Any mention of a particular security and related performance data is not a recommendation to buy or sell that security. Lightcap Financial Group, LLC manages its clients’ accounts using a variety of investment techniques and strategies, which are not necessarily discussed in the commentary. Investments in securities involve the risk of loss. Past performance is no guarantee of future results.

Previous
Previous

The 4 C’s of Accessing Capital for Business Owners

Next
Next

How to Access Your Home’s Equity for Your Goals