“It’s not a matter of if you’re going to be attacked – it’s just when, and what is the next one,” Matthew Davis, the president of GDI Insurance Agency, tells ZDNet. For Davis and his team, that inevitable hack came in 2019. Their remote IT provider was hacked and then the attackers deployed ransomware to the IT company’s clients’ systems – nearly 400 businesses were impacted in total. SEE: These are the cybersecurity threats of tomorrow that you should be thinking about today The attack shut down the agency and its four locations, with servers and computers crashing. The company found that every computer that had connected to the internet within the last two or three weeks was locked. “We went into overdrive and spent a pretty penny – we spent about $25,000 in the first 14 hours out of pocket directly,” Davis said. It might seem a lot but that figure is just a drop in the ocean compared to overall spending on data breaches and hacks. For example, the IBM 2021 Cost of a Data Breach Report found that last year saw the highest average data breach cost in 17 years, rising from $3.86 million in 2020 to $4.24 million in 2021. In addition to what was spent to mitigate the attack, the agency also had to spend more than $15,500 to hire consultants and temporary replacement machines, over $5,620 in a forensic systems audit, and $7,500 in legal costs. Some PCs never quite ran the same and the company had to buy new software licences after systems were reconfigured. “Although we weren’t reimbursed $10,000’s of those costs, the losses from not selling new clients for an additional couple weeks in the long-term client relationship/residual business that we’re in would have resulted in a considerable reduction in our growth and profitability trajectory for the few years to come,” Davis wrote in the company’s case study about the cyber breach. Since the attack, Davis says the agency has prioritized its security much more than it used to. “We have multi-factor authentication on all our machines now,” he said. “We have VPN access to our internal services and implemented changing passwords much more frequently.” Recent research from tech analyst Gartner shows that worldwide spending on data security increased by 17.5% between 2020 and 2021, so organizations are taking the threat of data breaches and cyberattacks more seriously as the frequency rises. Tomas Keenan, the COO of Break Free Academy, and his team also experienced a costly cyberattack in 2021. The company’s Twilio account was accessed by a malicious actor, and there was $18,000 worth of daily charges for nearly a week before the team figured out something was amiss. “We had about three different software platforms that were connected to Twilio,” Keenan said. “We had to go into every single one of them and copy the message, recreate it, and build it into a new software solution that we used, which took a solid two to three weeks to complete.” Keenan’s theory is that the company’s Twilio login information had been accessed. Unfortunately, this isn’t an uncommon scenario: the IBM Data Breach Report also found that compromised credentials are the most common attack vector. “The biggest thing we learned is to be more secure with who has access to your stuff,” Keenan said. “We implemented LastPass across the entire company, so everyone has a separate LastPass account. And we have someone go in and create the master password and then share it to the people who need it to limit the access, which has been super helpful.” SEE: These hackers are spreading ransomware as a distraction - to hide their cyber spying Both Keenan and Davis agree the current state of cybersecurity is worse than it used to be, especially since attackers are much more sophisticated. “As the defenses increase, the level and aggressiveness of the attempted attacks has gone up, so there’s just a lot more effort on both sides,” Davis said. And, since the pandemic has encouraged many companies to run using cloud-based servers rather than an internal, in-office server, systems can get even trickier to protect. “If you’ve got a smart person that knows what they are doing, they are going to get into your stuff, no matter what,” Keenan said. However, there are always preemptive steps to take to protect yourself. The National Institute of Standards and Technology recommends simple steps to protect your business from cyberattacks. These include installing surge protectors, patching your operating systems and software regularly, installing hardware firewalls, using encryption for sensitive business information, and, most importantly, training your employees against security threats. “The best defense is a good offense,” Davis said.