Small and medium‑sized businesses: Big targets for ransomware attacks

Editor’s note: contributed blogs like this are part of ChannelBuzz.ca’s annual sponsorship program. Find out more here. This article was written by Amer Owaida, a security writer at ESET and was originally posted on the We Live Security site.)

data securitysecurity

According to the World Bank, small and medium-sized businesses (SMBs) play a huge role in most economies, accounting for 90% of businesses worldwide and representing over 50% of employment. These are businesses that range from family-owned restaurants, through startups to established businesses with several hundred employees on their payrolls.

Besides being instrumental to countries’ economies, another thing SMBs share is that they are often ill-prepared to deal with cyber-threats. Such incidents can vary, from distributed denial-of-service (DDoS) attacks resulting in hours of downtime and revenue loss, to malware attacks, including those involving ransomware, that may ultimately cause a company to go out of business.

Why are SMBs a target?

While large enterprises may present themselves as more lucrative prey, SMBs are an attractive target due to their lack of resources to defend against such attacks.

According to a recent report by the Ponemon Institute, the biggest challenge faced by SMBs is a shortage of personnel to deal with cyber-risks, attacks, and vulnerabilities, while the second greatest problem revolves around limited budgets. The third biggest challenge is that the firms may lack an understanding of how to protect against cyberattacks.

With that in mind, it stands to reason that the employees wouldn’t be able to identify potential threats or attacks. The Ponemon report points out as much, stating that when companies experienced ransomware attacks, the most frequent attack vectors were phishing and social engineering, with spoofed websites coming in second and malvertisements taking third place.

This goes to show how underestimating proper cybersecurity training can hurt your company in the long run. While proper training may be a costly investment, having to deal with the aftermath of a ransomware attack can prove to be even costlier.

What’s the cost of being hit?

According to Datto’s report, ransomware is at the top of the list of the malware threats that SMBs face, with one in five reporting that they had fallen victim to a ransomware attack. The average ransom requested by threat actors is about US$5,900. However, that is not the final price tag; the cost of downtime is 23 times greater than the ransom requested in 2019, coming in at US$141,000 and representing an increase of over 200% from 2018 to 2019.

And you still haven’t factored in other costs – the discovery of the attack, investigation, containment, recovery, and reputational damage. Then you still have to account for the cost of the information lost.

Some businesses may opt for paying the ransom to limit their downtime and restore access to sensitive files, but there are no guarantees. The cybercriminals behind the ransomware may keep increasing the ransom, and even if you pay up, you can’t be sure that you’ll recover all the data, so the damage will still be done.

“Funding cybercriminals also funds larger cyberattacks, so it must be reiterated that paying won’t always get make the issue go away,” says ESET cybersecurity specialist Jake Moore.

What are your options?

Clearly, you want to avoid a successful ransomware attack in the first place. The key, then, is prevention, and it includes these basic measures:

  • All employees should undergo regular training so as to be up-to-date on cybersecurity best practices. This can go a long way in lowering the chances of them clicking on potentially hazardous links in their emails that could be laced with ransomware or plugging in unknown USB devices that could be loaded with malware.
  • You should always keep your operating systems and other software updated to the newest version available and, whenever a patch is released, apply it.
  • Always plan for the worst and hope for the best, so have a business continuity plan at the ready in case disaster strikes. It should include a data backup and maybe even a backup infrastructure you can use while you try to restore your locked systems.
  • Backups are essential for everyone, be it individuals or huge enterprises. Back up your business-critical data regularly and test those backups frequently to see if they are functioning correctly, so that they don’t leave you in a bind if you’re hit. At least the most valuable data should also be stored off-line.
  • Reduce the attack surface by disabling or uninstalling any unnecessary software or services. Notably, as remote access services are often the primary vector for many ransomware attacks, you would be well advised to disable internet-facing RDP entirely or at least limit the number of people allowed remote access to the firm’s servers over the internet.
  • Never underestimate the value of a reputable, multilayered security solution. Besides your employees, it is your first line of defense that you should have up and running to protect you against all manner of threats, not ‘just’ ransomware attacks. Also, make sure the product is patched and up-to-date.

Further reading:

Social engineering and ransomware
Ransomware: Should you pay up?
The economics of ransomware recovery