All organizations can be the target of ransomware, where users’ files or computers are taken hostage or system access is hindered for a ransom. And while big game hunting is on the rise — where ransomware operators target larger organizations with potentially larger rewards — ransomware frequently targets small and medium-sized organizations, including state and local governments that often are more vulnerable to attacks.
Explore Ransomware and Vulnerability Factors for Small and Medium-sized Businesses
Organizations of all shapes and sizes should continue to stay alert and on top of their security. This paper explains the impact of ransomware on small and medium-sized organizations, explores factors that lead to increased vulnerability and offers advice on how to protect and secure your organization.
This article explains the impact of ransomware on small and medium-sized businesses, explores factors that lead to increased vulnerability and offers advice on how to protect and secure your organization.
Read this article to learn:
- Why company size does not ensure safety from ransomware attacks
- Why SMBs have a lot more to lose than they might think
- What some of the common vulnerabilities look like for SMBs, including the human factor
- How SMBs can protect against ransomware, prepare for a potential incident, and find help if they’ve experienced a breach
Table of contents
Ransomware attacks: size does not ensure safety
SMBs have what adversaries want
Small size big loss: SMBs have a lot to lose
Health horrors
Common vulnerabilities
The human factor
How to protect against ransomware
Ransomware attacks: size does not ensure safety
Small and medium-sized businesses (SMBs) fuel the economy, contributing to growth and innovation, but they often trail behind their larger counterparts when it comes to cybersecurity, leaving them vulnerable to malicious attacks. A cybersecurity lag had not worried SMBs in the past, as many believed their organizations fell under the radar for attacks and ransomware. While that attitude appears to continue for some businesses, recent studies suggest that times may be changing.
A study conducted by Paychex in 2017 reported that 68% of SMB owners were not worried about being hacked. That mindset was confirmed in a more recent study from 2019, where 66% of SMB decision-makers believed they were not a likely target. But another 2019 study suggested that awareness and concern may be changing. A report released in late 2019 by the National Cyber Security Alliance (NCSA) noted that 88% of the smaller-sized organizations it polled believed that they are at least a “somewhat likely” target for cybercriminals, including almost half (46%) who believe they are “very likely” a target.
While risk perception may vary, as different studies suggest, there is a good reason for growing concern: Verizon reported in its 2019 Data Breach Investigations Report that 43% of breaches involved small business victims. And unfortunately, only 30% of small businesses believe their IT security posture is strong against threats.
SMBs have what adversaries want
Small businesses are targeted for several reasons, from money and intellectual property (IP) to customer data and access.
Access may be a primary driver because an SMB can be used as a vector to attack a larger parent organization or the supply chain of a larger target. Small business owners may not realize their value to attackers, as many news reports involving ransomware highlight attacks on larger organizations more often than smaller ones, perpetuating a false sense of security that ransomware attacks are related to size and profitability.
Small size big loss: SMBs have a lot to lose
Cybercriminals have a lot to gain by targeting SMBs, and unfortunately, SMBs have even more to lose. According to KnowBe4, the average ransom requested from SMBs is about USD 4,300. While that amount may seem insignificant, the same report noted that the average cost of downtime related to a ransomware incident is much higher, at about USD 46,800.
Some ransomware attacks encrypt computer files and hard drives, locking users out of their devices and data, while other variants of ransomware can access user data and release or sell it to third parties, leading to data breaches and higher losses.
While larger organizations — including FedEx, which was hit by NotPetya ransomware and attributes the attack to $300 million in losses — are better equipped to absorb huge losses and continue to prosper, that is not the reality for many small businesses. Smaller organizations can lose more than just money in a ransomware attack — the attack can damage their reputation and diminish their chance of survival. Research indicates that 60% of SMBs in the U.S. that experience cyberattacks go out of business within six months.
Due to their smaller size and limited resources, SMBs have a harder time absorbing the extra cost of a ransomware attack and the strain on customer relationships. And the perception that they are not a target means smaller businesses often don’t have the personnel or cybersecurity budget in place to protect themselves, making a bad situation even worse. The Ponemon Institute study noted that 77% of small businesses said they didn’t have the personnel to mitigate cyber risks and breaches, 55% didn’t have the budget and 45% didn’t know how to protect themselves against attacks.
The idea of a ransomware attack shutting down a business may seem unrealistic, but unfortunately, it is a real risk.
Health horrors
In April 2019, Brookside ENT and Hearing Services, a small medical practice run by two doctors in Michigan, was hit with a ransomware attack that deleted and overwrote every medical appointment, bill and patient record. It also deleted the backups and left behind a duplicate of the deleted files that could be unlocked if they paid USD 6,500 in ransom. The doctors refused to pay the ransom and continued to show up to the office to assist patients. Because the files and records were deleted, they had no way of contacting the patients to cancel or reschedule appointments. After a few gruelling weeks, the practice was forced to shut down, and the doctors settled for early retirement.
This is the first case in which a medical practice had to shut down due to a ransomware attack. In this case, like many others, having backups in place was not enough to protect against a ransomware attack, and the small practice was forced to shut down because it was not able to absorb both the financial and time-consuming burdens necessary for remediation.
Common vulnerabilities
The success of ransomware attacks on small businesses can be attributed to the unique challenges associated with smaller size and also the more ubiquitous challenges faced by organizations of any size: the human element.
While a work-issued computer is common and even expected in larger organizations, smaller organizations do not always provide work computers and instead can rely on employees using their devices. These devices are used both for work-related purposes, including accessing and storing privileged documents and information, along with personal activities such as browsing and searching. These dual-purpose machines contain high volumes of both business and personal information, including credit card information, email accounts, social media platforms, and personal photos and content. AppRiver’s 2019 survey discovered that 48% of SMBs do not store their most important and confidential data exclusively on a secure network and instead disperse it across multiple unsecure locations or are unsure of where the data is stored. Data access and storage blind spots along with inconsistent or inadequate security coverage quickly lead to gaps in cyber protection, increasing risk.
The human factor
For organizations of any size, employee behaviour — from oversharing on social media to click any link that comes their way — is a concern, and it is a definite risk factor for smaller organizations. 77% of SMBs are concerned about social media use as a cybersecurity risk, highlighting Facebook as a major concern for employees. Social media platforms are hubs for spam accounts, and while many can be harmless, certain accounts contain well-disguised pop-ups and web links that lead to ransomware. Employees may also overshare on Facebook and attract potential scammers that can conduct research on the business and launch social engineering efforts. Social engineering can take many forms, including simple fake accounts gathering information to full-blown spear-phishing attacks claiming to be an employee’s boss or colleague. Spear-phishing via compromised emails is the primary point of entry for many ransomware attacks. Victims more often fall prey to opening these emails and clicking the links within since the sender appears to be a known entity from a trusted source, colleague or manager.
KnowBe4 released results of its phishing email testing services and revealed that of the users that clicked on the phishing email tests, 56% were related to LinkedIn messages. Social media platforms such as LinkedIn and Facebook are generally trusted by users, making those channels prime sources for collecting information and fueling phishing campaigns.
How to protect against ransomware
In September 2019, the U.S. Department of Homeland Security published an article outlining measures organizations should take to handle the threat of ransomware. The article provides advice on how to protect against ransomware, how to prepare for a potential incident, how to recover and where to find help. It includes practical recommendations ranging from keeping systems patched and up to date to training end-users and creating and executing an incident response plan.
Keep in mind, while backups are a good defence, they must be protected as well, as they are often the first targets attackers prohibit access to or try to destroy in an environment. Making sure files are backed up, are properly secured and can be accessed separately, even in a compromised environment, is a standard precautionary measure and also effective for faster remediation in the event of a ransomware attack.
Implementing proper employee training is also an essential practice to help keep your brand and your business secure. Keeping employees up to date on awareness practices — including not clicking links or downloading attachments from suspicious emails and checking email addresses of senders — is essential for reducing phishing entry attempts.
Adopting an effective endpoint protection solution is another key method to defend your organization.
Source: CrowdStrike
