At the beginning of July, software service provider Kaseya reported some shocking news that made headlines throughout the globe: It was attacked by hackers who embedded malware into the company’s network, allowing them to carry out ransomware attacks on Kaseya’s clients, paralyzing hundreds of businesses on five continents. It’s estimated that up to 1,500 organizations throughout the world were impacted, ranging from a supermarket chain in Sweden to dentists’ and accountants’ offices in the United States. The hackers initially demanded $70 million to restore all the affected businesses’ data

The most troubling part? “At first, many of the mid-market companies who were affected didn’t even realize their systems had been compromised,” says Alexander Anglim, a partner at Santomassimo Davis LLP Outside General Counsel™ Solutions, a New Jersey-based firm with offices in New Jersey, Philadelphia, and New York. That’s because Kaseya provides software tools to IT outsourcing shops— companies that handle back-office work for businesses too small to have their own technology departments. “Imagine these businesses’ shock when, after reading about one of the largest data breaches in the news this year, they discover their company might have been one of the victims,” Anglim says.

Ransomware—a type of malware that prevents users from accessing their systems until a ransom is paid—is a growing threat: 37% of mid-sized organizations across the globe were affected by ransomware attacks in the last year, according to a recent report by Sophos, a cybersecurity firm.

So, how to avoid being the next victim? “The single best tactic smaller- and mid-size companies can use to safeguard themselves is to know their IT vendors and their capabilities,” advises Anglim. Follow this three-step process to ensure your technology providers are sufficiently prepared to protect your company against a ransomware attack:

1. Perform A Vendor Audit

Anglim and his associate’s colleagues at Outside General Counsel™ Solutions, which provides customers with outside general counsel at a fixed monthly fee, often work very closely with clients to assess whether or not their IT vendors have the capabilities to protect against ransomware. “Sit down and interview them to see what their competencies are,” he recommends. “Are they focused on just providing you with the tools you need to do day-to-day business, or do they have the technical capabilities of a true cybersecurity firm? 

“You can find ways to probe their expertise without being a technology expert yourself,” he says. Try open-ended questions, like:

• What resources can you provide in the event of an attack or other breach?
• What options do you have for dealing with my specific security concern?
• Which cybersecurity capabilities do you have in-house, and which do you outsource? 

“You may learn that what you thought your vendor was providing and what they’re actually providing aren’t the same thing,” Anglim says.

2. Interview Other Vendors

Contact more specialized cybersecurity providers and see how your IT vendor stacks up. Anglim recommends interviewing some of the leading cybersecurity providers in your area. “Ask them what they do that most general IT vendors don’t or can’t do,” he says. Then, go back to your existing provider and ask them if they can perform the same services. “Let’s face it: no vendor is going to start off by telling you the holes in their expertise,” he says.