Imagine running a small business and suffering a large-scale security breach. It comes in the form of a ransomware attack, and the business you’ve spent half of your career building has ground to a halt. Facing the unenviable choice of paying the criminals or suffering the data loss, your email application sounds and you notice a new email in your inbox from the person who made the mistake that led to all this turmoil…the last person you want to hear from right now…

Dear CEO, 

I am writing to sincerely apologize for the recent security breach caused by my actions. I know you’re busy and have better things to do than worry about IT problems, but this is important. Recently, I mistakenly clicked on a phishing link in an email disguised as a financial document. Realizing my error when the PDF failed to open, I immediately deleted the email. Despite this, and without me knowing, we had already started down the path to ransomware.

I found out later a script was executed on my machine that day and my keystrokes were logged and being saved for later retrieval. Once the bad guys had my login, it was easy for them to get into the server records, steal everyone’s logins, and go through to encrypt all the company data.

I deeply regret the impact this incident has had on the company and my work, and I take full responsibility for my actions. I understand the severity of the situation and the financial pressure you now face to make the awful decision of paying to release the records or deal with the loss of several weeks of data.

To ensure this doesn’t happen again, I have researched some steps that may have stopped this issue from ever starting. For one thing, it seems like I shouldn’t have had full administrator access to our IT systems. This is called principle of least privilege and limits me to the access I need to do my normal job. Instead, I had access to everything…most of which I don’t know what it is anyway.

We also could have been using something called ringfencing which examines the execution of unusual applications and scripts. In other words, if something unusual happens, a ringfencing application will stop and alert IT to make sure it’s safe before it’s allowed to do whatever it’s trying to do.

We also can train the entire staff to recognize the types of bad links I clicked. This is called Security Awareness training. Usually it’s a few minutes a month and it can also help identify who might be more likely to click bad links and might need some extra training in order to avoid future security breaches.

We probably should have instituted multi-factor authentication (MFA) to add an extra layer of protection to our passwords. I have this for some of my personal logins and it texts me or emails me, but there are some common programs now that are more secure and used just as a second layer after passwords.

Our business continuity and disaster recovery plans were…well they weren’t. We need to have and test robust BCDR procedures in case we ever experience something like this again.

Once again, I am truly sorry for the cost and inconvenience my actions have caused. I am committed to learning from this experience and ensuring that such a mistake does not occur in the future.

I found a company that serves regions around Baltimore, MD; York, PA; and New Bern, NC that have all of these items, as well as advanced cybersecurity items, in their normal offerings…in addition to bundled Helpdesk services when our staff is having everyday IT issues. (I know you’re tired of dealing with those smaller issues slowing us down.)

If you’re interested, I think they could really help us; I know they have helped a lot of other small businesses like us. Their name is Certified CIO. You can schedule a call with them directly right here and I urge you to do so.

Thank you for your continued understanding and support.

Sincerely, 
Low Level Staffer Who Put the Entire Operation at Risk and Is Soon to Be Fired

The problem? You know he or she’s right. Better preparation would have prevented this. Whether that’s enough to save his or her job is a different question, but either way the responsibility falls on the leader. It’s your pill to swallow, bitter as it may be. Still, the lessons learned from these oversights are invaluable. Neglecting essentials like MFA, BCDR, and ringfencing left the business vulnerable and unprepared. Recovery is not only expensive but also time-consuming and stressful. Moving forward, commitment to viewing cybersecurity as a critical business need, not an optional safeguard, is key. Acknowledgement that cyberattacks are a real threat to any business – especially small business – is essential. Implementation of robust security measures and regular updates to digital defense systems protect our assets and ensure business continuity. Reflecting on these mistakes can be a humbling experience, but it can also pave the way for a more secure and resilient future for your company. Let’s turn these lessons into strengths!

If you don’t want to receive a letter and clarity in hindsight like this in the near future, let our team of experts worry about keeping the castle defended so you can worry about what you’re good at—running the kingdom. Give us a call to get started. 

Share This Story, Choose Your Platform!