In May, it was gas. This month, it’s meat.

JBS, the world’s largest meat supplier, was targeted in a ransomware attack just three weeks after the Colonial Pipeline hack disrupted the fuel supply chain in the U.S. Ransomware attacks – where malware is used to hold a victim’s data for a ransom – are on the rise, according to authorities, a trend that’s expected to continue in the coming months and years. (Promo firms aren’t immune, with several high-profile companies enduring attacks in recent years.)

Cybersecurity firm Sophos estimates that the average total cost of recovery from a ransomware attack has more than doubled in the last year, increasing from just over $760,000 in 2020 to $1.85 million in 2021. The company also found in its State of Ransomware report that only 8% of companies managed to get back all their data after paying a ransom, with 29% getting back no more than half.

These sobering statistics underline the importance of having robust systems that protect data and safeguard against attacks, but even the strongest cybersecurity is only as good as the people using it. Here are seven tips for improving security at your company.

1. Keep passwords secure. Companies should implement password complexity policies that require a mix of upper- and lowercase letters, numbers and symbols, with a minimum of 12 characters, according to Kaitlin Titus, account executive at eMazzanti Technologies, an IT consulting firm based in Hoboken, NJ. Have employees create passwords that are unique and not used on other sites. “If one program is hacked and that password is stolen, it’s much easier for a hacker to get into other systems you use,” Titus says. Consider using a password manager that generates unique passwords and keeps them stored in one safe place (which is not a sticky note attached to your workstation, by the way).

2. Use multifactor authentication. It’s a simple, but powerful concept – adding another layer of security beyond simply typing in a password. Multifactor authentication requires users to add a secondary token or code to gain access to an app or device. “It may add a few more seconds to the login process, but it will greatly reduce the opportunity for illegitimate access to company systems,” Titus says.

3. Be vigilant about shared inboxes. Christopher Gerg, vice president of cyber risk management at Tetra Defense, warns of new “wrinkles in the phishing world” – beyond the typical phishing emails posing as a problem with an Amazon order or new login to your Netflix account. Shared email accounts for sales teams, he says, are easy to guess via web searches and harder to protect with safeguards like multifactor authentication. “These shared inboxes, by their very nature, often receive unsolicited email, increasing the chances of malware being accidentally unleashed,” Gerg says.

4. Keep your systems updated. Make sure company equipment and software is updated regularly to ensure all the latest security patches are installed. Be wary of allowing employees to use their own laptops when they work remotely, since personal devices are less likely to be updated than their company-issued counterparts, according to Nir Kshetri, a professor at the University of North Carolina-Greensboro and author of four books on cybersecurity.

5. Backup your data – then test your backups. Today’s data protection systems, sophisticated as they are, are “meaningless if they aren’t accompanied by backups,” says Thilo Huellmann, chief technology officer at Levity.ai. Companies should back up their systems and data daily and keep a clean copy of the data so that it can be easily restored if a threat arises, he adds. Be sure to test your backups for recovery, says Bob Herman, co-founder and president of IT Tropolis, an IT service provider. “Many companies run backup but never conduct testing, only to find out after an actual incident occurs that restore of critical data fails,” he adds.

6. Train your employees regularly. Don’t limit training to once a year, though. Enroll them in continuous cybersecurity training that’s dynamic and interactive to help them understand the latest security risks and keep security top of mind. (On June 23, ASI will be hosting a webinar on how to handle a ransomware attack in progress, led by Mike Pfeiffer, vice president of technology for Top 40 distributor American Solutions for Business (asi/120075). Register for the webinar here.)

Though it’s important to train workers in the technical details of a phishing attempt, it’s even more crucial to drill down to the psychology behind why such emails work. “People are rarely fooled by the detail and authenticity of phishing attacks, and much more so by the emotional hooks that they use to bypass rational consideration,” says James Bore, director of Bores Security Consultancy.

7. Make an investment in cybersecurity. This could mean beefing up your existing IT team or hiring an outside firm to run security audits. Another option to consider is cyber insurance to protect against attacks, according to Kshetri. In the U.S., only about 19% of small- and medium-sized businesses have cyber insurance coverage, he adds. But, as the rising rate of ransomware attacks has shown, it’s not just large companies that are at risk.