A few years back I got a call on the helpdesk at 9am on a Monday morning.
A small business owner — plumbing company, 8 staff, been trading 12 years — couldn't get into anything. Email. Accounts. Customer records. All locked. A ransomware note on every screen demanding £8,000 in Bitcoin.
It had started the previous Friday afternoon. One employee clicked a link in what looked like a supplier invoice email. By Monday morning the damage was done.
47 minutes. That's how long it took from the initial click to full system encryption.
They didn't pay the ransom. They lost three weeks of work rebuilding from scratch, lost two clients who lost confidence in them, and nearly didn't survive it.
Here's the thing that still gets me — every single thing that allowed that attack to happen was completely preventable. And none of it would have cost them more than an afternoon to fix.
The three things that got them hacked
They reused the same password everywhere
The employee who clicked the link used the same password for their work email as they did for a shopping website that had been breached two years earlier. The attackers already had the password before they even sent the phishing email.
One free tool fixes this entirely — Bitwarden. It generates and stores unique passwords for every account automatically. Your team never has to remember a password again, and more importantly, one leaked password can never unlock everything else.
Nobody had two-factor authentication switched on
Two-factor authentication — that wee code sent to your phone when you log in — would have stopped this attack dead even with the correct password. The attacker was in another country. They didn't have the phone.
Takes five minutes to switch on. Do your email account first. Right now if you can.
Their systems hadn't been updated in months
The ransomware exploited a known vulnerability in an outdated piece of software — one that had been patched months earlier. The patch was sitting waiting to be installed. Nobody had got round to it.
Set everything to update automatically. It's boring advice but it's the difference between a normal Monday morning and the worst day of your professional life.
The uncomfortable truth
That plumbing company wasn't unlucky. They were unprepared. And the attackers knew it — small businesses are targeted precisely because they're assumed to have weak security and no IT support.
You don't need an IT department. You need an afternoon and these three free fixes.
Don't wait for your own Monday morning phone call.
Got a question or a close call of your own? Hit reply or drop us a message at [email protected] — we read every one.
Until next week, The SafeDesk Team