Examining the high cost of ransomware for SMBs.
These days, no one is immune to the perils of ransomware. Hackers aren’t just targeting big business — ransomware is particularly effective with small businesses, as well as non-profits, schools and hospitals. In short, anyone with critical data — and who may not be prepared to deal with a ransomware attack — is a target.
And the costs are higher than many realize…
What exactly is ransomware?
Ransomware is a type of malware that encrypts your data, making it inaccessible until a ransom is paid (typically in bitcoin) for a decryption key. And it’s evolving to become even more malicious.
Jigsaw, for example, comes with a countdown clock, so the longer it takes you to pay up, the more files you lose.
It’s a problem that isn’t going away, in part because it’s been so successful for hackers. While massive ransomware attacks such as WannaCry grab headlines, it’s the smaller and more targeted attacks that are perhaps of greatest concern. After all, if you can get your data back for $300, why not?
How much money do hackers want from me?
In many cases, hackers aren’t asking for an exorbitant amount of money. The average ransomware attack yielded $1,077 in 2016, according to Symantec’s 2017 Internet Security Threat Report. (That, however, is a 266 per cent increase from the prior year — and we can expect that to keep escalating, so long as ransom demands are being met.)
Still, a small business can typically afford $1,000, and perhaps that’s why some of them pay up. But consider this — the cost to your business is much higher than the sum of the ransomware payment…
What are the other costs?
First off, there’s the cost of downtime. Even if the hackers provide a decryption key for your data, it could take weeks to fully restore systems and ensure all malware has been removed (and that no backdoors have been installed). Many smaller organizations don’t have those capabilities in-house, so they’ll need to hire cybersecurity experts — and that’s another unexpected cost.
Also consider the cost of lost productivity, both during the attack and in the aftermath of an attack — not to mention the damage it could do to your reputation. And, depending on which industry you’re in, you could face government fines if sensitive data is breached.
Even if you do pay up, it doesn’t mean you’ll get your data back. According to research from Trend Micro, nearly 33 per cent of firms in the U.K. that paid the ransom failed to get their data back. Or, hackers may release some of your data and demand more money for the rest of it. Even if they do fully release your data, it sets up your organization as a soft target for further attacks.
Do ransomware style attacks actually happen to SMBs?
You bet, and they may be more prevalent than you realize.
A multi-country survey of 1,054 companies with less than 1,000 employees found that more than one-third of those surveyed experienced a ransomware attack in the past year, and 22 per cent of those impacted had to cease operations immediately. The survey, conducted by Osterman Research, also found that those impacted lost more than $100,000 per ransomware incident due to downtime.
How do I protect my company?
The best defence is to avoid being a target in the first place. Make sure your systems are patched and up-to-date, with anti-malware protections in place. But perhaps most importantly, train your employees. Anti-malware is useless if an employee opens the door to hackers by clicking on a malicious link or opens a harmful attachment.
“Ransomware is primarily delivered via a phishing email, which means your users have to be trained to identify it in order to prevent it, making antivirus ineffective at stopping ransomware,” Stu Sjouwerman, CEO of KnowBe4, told Infosecurity Magazine.
But training isn’t foolproof, either. “Ransomware is so successful because it relies on a human element, and as much as we hate to admit it, humans are fundamentally flawed,” writes Jennifer Blatnik for SecurityWeek.
“It’s for this reason that WannaCry continued to impact computers well into the week following the initial attack, despite many organizations spending all weekend notifying their employees and the public and fixing the issues that hit during the business day on Friday.”
So, you need a plan of action, in case you unwittingly become the victim of a ransomware attack. The No More Ransom Project developed by Europol and industry partners offers decryption tools for some variants of ransomware. In other cases, though, there’s little you can do except cut your losses — unless you’ve properly backed up your data.
Keep in mind, a backup is useless if it’s linked to an infected device (meaning your backup will be infected, too). Follow the 3-2-1 rule: Have at least three copies of your data, using two different media formats, one of which is offsite.
A ransomware attack will still cause headaches — but by being prepared, hackers won’t be able to control you or your data.
About the Author
Vawn Himmelsbach is a freelance writer and editor based in Toronto. She has covered technology and travel for 15 years, for media outlets such as CBCNews.ca, The Globe & Mail, Metro News, ITBusiness, PCworld Canada and Computerworld Canada. She also spent three years living abroad and working as an Asian correspondent.Follow on Twitter More Content by Vawn Himmelsbach