PART ONE: WE SHOULD JUST PAY IT, RIGHT?

When it comes to sugar, butter, flour Claudia West just knows.

She’s been baking since she can remember — rainy days in the kitchen with Grannie, bread rising in the oven, frosting with perfect pink peaks. It’s why she thanks her lucky stars that everyday she gets to walk into Perfect Treats, her real bread and butter.

With humble beginnings as a corner store bakery some ten odd years ago, Perfect Treats has grown into a local must-stop. It’s even been featured on famous road trip blogger Amelie Drives West’s website as a “sensational sweet stop.” The B-level fame helped Claudia break out from a three-employee operation to a staff of twenty, including two drivers for her blooming wedding cake business.

And it’s that last bit that’s got Claudia excited this sunny Tuesday after Labor Day as she enters the front door of her shop, a sticky sugar scent already swirling in the air. Fall wedding season is about to begin, and for the first time in Perfect Treats’ history, the bakery is booked solid.

But her pleasant mood changes the instant she sees her head cashier Robbie’s face.

“Is the WiFi out?” she asks. Since he’s studying computer science at the community college in town, Robbie became something of a de facto technology guru for Claudia.

“No,” Robbie answers her. He bounces from foot to foot. “Something worse,” he adds.

Nerves building, Claudia joins Robbie behind the store counter, where they peer at the main register together.

“What’s all this?” The computer monitor is on, but Claudia does not see the checkout screen she’s so familiar with. Instead, a message splays across the screen, a garble of words she does not understand.

“I think we’ve been hacked.” Robbie reaches for the mouse, scrolling through the seemingly endless list of phrases. Some begin to pop out at her.

Locked system, credit card data, employee payroll.

“Hacked?” she repeats. Still, her eyes remain glued to the screen.

Ransom payment. Bitcoin.

Weren’t these the words used in heist films? Not in real life. Not in her tiny, little bakery.

“They’re asking for $75,000 in Bitcoin by the end of the week,” Robbie says, finally stopping at the bottom of the letters on the screen. They scream back at her in bold font, all caps, like a silent scream.

Her mind is still racing as she processes what Robbie said.

“Pay it. We pay it.” That seems like the logical next step, she reasons with herself, especially because her employees’ information is locked up, according to the note.

Then again, how would she ever get that kind of money? And in Bitcoin of all things. She swallows hard. “We’re supposed to pay it, right?”

Suddenly, the sugary sweet smell she loves so much turns sour in her nose.

PART TWO: PROBABLY SHOULDN’T HAVE DONE THAT

Three weeks have passed since the ransomware attack.

Claudia, relying heavily on Robbie’s input and modest understanding of cryptocurrency, has finally paid her attacker in full, but she is anything but happy about it.

For one thing, the attack locked up her entire system — cashiers, payroll, contracts. Without access to her systems, Claudia is flying blind.

Not to mention, her employees are chafing due to late paychecks, and customers are starting to doubt her ability to fill orders accurately and on time.

In addition, her insurance company denied her ransomware payment reimbursement claim. Apparently, she needed a separate cyber policy for incidents like this. But as she iterated to the insurance company customer service person on the phone, she didn’t work in a “cyber business.”

“You use computers? WiFi? Have a security system?” he had asked.

“Yes, of course.”

“Then you operate in the cyber world.” After a few more “sorry ma’ams,” he’d hung up.

And all that was just the start. Claudia is still learning the snowball effect of the event.

For three weeks she has had no access to her schedule. All those blushing brides she was meant to bake for are furious. Claudia feels obligated to refund their down payments — yet another hit to her dwindling cash reserves.

Social media has become a silent villain to her predicament — a proverbial sour cherry on top. Those same blushing brides have a hidden bite, taking their vitriol to Yelp and letting her have it over the Internet.

Claudia shuts off her phone after reading a rather nasty review from the stakeholders of another canceled wedding. If this goes on, she thinks, no amount of ransom paid will be able to salvage her reputation.

The bell over the front door jingles happily, a sharp contrast to the somber mood Claudia’s in.

Before she can explain that Perfect Treats is closed, however, she sees Robbie approaching, his face showing her he’s not here for a friendly chat.

“What is it now?” she asks, her impatience shining through.

Robbie must sense it, because he stops in his tracks. That’s when Claudia sees the letter clutched in his hand. Her heart sinks. It can’t get any worse, can it?

Unfortunately, it can.

“OFAC compliance? I don’t know what that means.” Claudia is staring at a notice from the Office of Foreign Asset Control, or OFAC, about her recent ransomware payment. It’s another garble of words she’s not exactly familiar with, but one thing is abundantly clear: She’s being fined for paying her attacker.

“Looks like we might have acted too quickly,” Robbie tells her. She’s still skimming the notice. “Some Bitcoin payments are illegal, depending on where it comes from. I—I didn’t know that when I started.”

“How can digital coins be illegal?” She’s truly at her wits end, trying to wrap her head around yet another layer of cyber she’d never been exposed to before.

“I think it comes down to how it’s being regulated,” he says.

“And you didn’t know?” She’s firm. Perhaps a little too firm. Robbie flinches, and Claudia realizes none too late that he’s just a kid.

She places her hand on Robbie’s shoulder. Of course he didn’t know.

PART THREE: BEEN THERE, BAKED THAT

“Oh, Mom, how could you not know about cyber insurance?” Claudia’s daughter Ramona shakes her head, her hands properly at ten and two on the steering wheel like always. She starts her Subaru with the push of a button, the vehicle coming to life around them with lights and sounds. A giant screen sits on the dashboard where cassette players used to sit.

Another cyber business, Claudia begrudgingly thinks.

Ramona is something of a business head herself, although Ramona’s world consists of numbers and graphs and accounting firms. Claudia is starting to wish her own world had a Ramona running it.

Her daughter shakes her head again. “You had direct deposit payroll. You took credit card information from customers. You had brides e-sign contracts, for crying out loud!”

“Ramona,” Claudia cautions.

She pushes. “And that’s just the bare minimum of the data you were collecting—”

“Ramona.”

Ramona’s grip loosens on the wheel, her eyes quickly glancing over in Claudia’s direction. It’s enough to curb the tension building in the car. “I know, I know,” Ramona sighs, “I’m sorry. I’m not trying to berate you.”

“If I could change it all I would,” Claudia whispers. She wants to sound more assured than that, but her whole world is still falling down around her. She’s not sure what the future will look like yet.

“Oh, Mom. I know how hard this is on you. We’ll—we’ll figure something out.”

The car kicks into gear, the last of Claudia’s baking pans clattering around in the SUV’s trunk. As it turns out, OFAC compliance was as big a deal as cyber insurance for small businesses, and now. Well, now Claudia doesn’t have a business to worry about.

As the wheels crunch past the empty storefront of what once was Perfect Treats, Claudia sighs.

Sugar, butter, flour — that is Claudia’s sweet world.

Cyber, ransom, Bitcoin — that is the bitter taste that destroyed it. &

LESSONS LEARNED

Ransomware events can be scary, no matter the size or success of a business. And no business is immune to the potential of an attack.

Small businesses, in particular, are soft targets, often without the cyber protocols, insurance or know-how in place to manage these types of events.

It’s a hacker’s dream.

That’s why it is extremely important for small businesses to partner with experts in cybersecurity. They not only have the resources needed to address a ransomware demand, but they will also be able to guide the small business through an attack.

As seen in this scenario, paying a Bitcoin or similar demand outright is not always the best first step to take. When a hacker has your data, time is critical. But getting the right people on the phone is even more so.

A good partner will also be able to help the small business train in advance of an attack so that all employees, whether its a team of five or 50, know what to do when a potential hack is on the horizon.

Remember: Ransomware resiliency starts with a plan. That plan must be put in motion long before there’s a chance for a cyber event to occur.