The Reality of a Ransomware Attack for a Small or Medium-Sized Business
Ransomware attacks on small and medium-sized businesses continue to rise. Is your company really prepared?
A decade ago, ransomware was a term referenced mostly among IT departments. For everyone else at the office, it sounded like a far-fetched concept only multinational companies or wealthy governments needed to worry about. Or maybe it was the title of Nicholas Cage's next movie.
Today, "ransomware" is a threat most business leaders are thinking seriously about – and if they aren't, they should be. Last year, 84% of organizations were victims of phishing attacks. Of those, 59% were hit with ransomware. That's a staggering number.
Those weren't just large companies, either. That number includes small and medium-sized businesses. In fact, smaller businesses are at increased risk for a few reasons:
1. They're often more vulnerable to cybercrime because their IT is less secure. They typically don't have an IT team looking out for suspicious activity, patching and backing up systems, and one that's ready to respond in the event of an attack. IT is often an afterthought for companies with smaller budgets (27% of small businesses do not have IT support).
2. That smaller budget also means, should the company be hit by a cyberattack, their ability to recover is severely restricted. 60% go out of business within six months following a cyberattack.
While the increase in cybercrime in recent years isn't good news for small and medium-sized businesses, it has made IT security a priority for more companies. They're investing in reliable IT, hiring in-house pros or managed service providers, and purchasing cyber insurance. Many are in a better position than they were a few years ago. Many also just think they are.
The Reality of a Ransomware Attack
A ransomware attack hits a business hard. One minute things are humming along and the next – SCREECH – a message pops up on your computer alerting you to a business-halting hack.
In a nutshell, hackers deploy ransomware that encrypts all of your data, and they hold that data hostage until you pay them off. The ransom requested could be a few thousand dollars or a few hundred thousand. For a retiree in Tallahassee, that data might be photos of their grandkids or other important personal files. For a business, that could be customer data, financials, and vital intellectual property. It's important information that a business can't run without, so businesses often come to a standstill until they pay the cybercriminals. That alone could be a barrier too big to overcome – coming up with that kind of money in a matter of days is no easy feat, and there is usually a deadline to pay. Miss the deadline and the price goes up – or you lose your data forever.
If you've prepared, your company has cyber insurance to help cover the cost. But even that isn't an all-encompassing solution.
People often believe the most challenging aspect of recovering from a ransomware attack is getting their business up and running after paying off the hackers and gaining access to their data. But there's so much more to consider.
The truly challenging part is identifying how the cybercriminals got in and fixing it. Otherwise, the business is likely to get hit again. We've heard of organizations that paid a ransom and regained access to their data, only to be hit again a week later.
One of the biggest financial costs of a ransomware attack is the forensic analysis required to locate the security gap and block future threats. The culprit could be something as seemingly insignificant as a printer not having a patch. That printer has access to the outside world, a hacker was able to connect to it and infect it, and now that printer continues infecting other things on the network.
Another unseen cost of ransomware: regulatory compliance. Depending on the industry your company is in, you're liable for communicating the attack to regulatory bodies, customers, and possibly the public as well. That can be a hefty public relations cost when done well. When executed poorly, the financial hit can be even more significant.
Real-World Example
We've been introduced to many small and medium-sized businesses AFTER they've been hit with ransomware. Each case is unique, but one real-world example does a good job of highlighting the unseen costs of ransomware, even when a company is endeavoring to do all the right things to protect itself.
A medium-sized manufacturing company was hit with ransomware. As usual, it was an unexpected attack in the form of a message on a computer screen: Your files have been encrypted. Pay $200,000 to get the key to unlock your files.
The company had invested in cyber insurance, which enabled them to pay the $200,000 ransom. But hackers being hackers, the key they shared only allowed the company to unlock some of their data. The rest required another $250,000. Unfortunately, the company's cyber insurance policy only covered the initial $100,000, so the company was left to pay the rest...somehow.
While all this was going on, they did their best to continue production, managing shipping products with paper on clipboards and handwritten shipping labels because their printer was one of the many digital victims of the ransomware attack. After a couple of weeks, it was clear that the approach wouldn't work, and the company had to shut down and lay off its staff.
Ultimately, this company paid out $450,000 to the cybercriminals, and their business was halted for more than a month. Other companies are forced to shut down for even longer, an average of 2-5 months.
Add up the actual ransom paid, the revenue lost, and the forensic analysis required to find and fix the vulnerability, and it's a big financial hit. Not to mention the impact such an attack might have on customer trust and loyalty.
So, what was the initial vulnerability that opened the door to this ransomware attack? A simple, easy-to-guess password.
The Best Solution Is Prevention
The company described above was endeavoring to do things right. They had an in-house IT person - a jack-of-all-trades who was doing their best to maintain security. They'd invested in cyber insurance. But it wasn't enough. Hackers will find the hole.
Luckily, they were able to get moving again and stay in business. We worked with them to do an in-depth assessment of their IT, identify security gaps, and map out a strategy to get their IT buttoned up (including a comprehensive response plan in case they're faced with an attack again in the future).
Doing this BEFORE an attack is the ideal approach. Not all companies can survive the attack in the first place.
Investing in cyber insurance is also wise, but even that isn't as easy as it sounds. Because insurance company payouts have dramatically increased in recent years in response to the increase in cyberattacks, insurance companies have raised the standards to get a policy in the first place. Your company will need to already be in a solid position security-wise to get a policy. (Read more: The rising tide of cyber insurance premiums in the age of ransomware)
Ultimately, the best solution to a ransomware attack is prevention.
If your company is ready to prioritize IT security, reach out to us. We'd love to help you understand where your security currently stands and what steps you can take to make it even better.