Small business owners are making a grave mistake if they assume their firms are not a prime target for cyberattackers. Not only are small and medium-sized businesses (SMBs) a prime target, but such an attack can be detrimental to a small company without the resources to combat a security threat.
Nearly half of the small businesses surveyed by Hiscox last year said they had been targeted by at least one cyberattack, while 44 percent said they were hit by between two and four attacks. Issues like phishing and the Business Email Compromise (BEC) are top concerns, yet ransomware cannot be ignored as a destructive force.
Small and medium-sized businesses coughed up a total of $301 million to ransomware attackers in 2016 to regain control of their computers, according to analysis from Datto’s 2017 “State of the Channel Ransomware Report.”
In a survey of 1,700 managed service providers (MSPs) that work with a combined 100,000 SMBs, Datto found that 99 percent of respondents agree ransomware attacks will probably pick up this year and next. Of MSPs surveyed, about 75 percent said their SMB customers experienced “business-threatening” downtime as a result of a ransomware attack, said Datto’s chief technology officer, Robert Gibbons.
Researchers noted that it’s not surprising that some businesses are so willing to pay the ransom.
“The impact of downtime affects SMBs far more than the cost of ransom requests,” said Gibbons, a finding that suggests entrepreneurs may pay ransom in hopes of quickly regaining control of their devices.
Paying a cyberattacker doesn’t guarantee the recovery of files and control of systems, analysts warned, with 15 percent of SMBs that paid the ransom reporting that they were never able to recover data.
Dale Shulmistra, president of Invenio IT, said that the most effective strategy to not only protecting a small business against a ransomware attack, but ensuring that downtime is as minimal as possible, is to regularly back up data.
“No single defense solution is guaranteed to prevent a ransomware attack,” Shulmistra said. “The most effective means for business protection from ransomware is a backup and disaster recovery solution, followed by cybersecurity training.”
Consumers and businesses do appear to be fighting back.
Cybersecurity experts have urged victims not to pay ransomware attackers for years. CyberEdge Group’s 2018 Cyberthreat Defense Report found that, while 55 percent of businesses were hit by a ransomware attack last year, only 19 percent paid the ransom. For those that refused to pay, the vast majority were also able to recover their files thanks to regularly backing up their systems.
That’s down from the 35 percent of SMBs that told Datto surveyors in 2017 that they paid the ransom, and signals a continuing downward trend, and even further down from the 41 percent of companies that paid the ransom in 2016.
Businesses surveyed by Radware confirmed that the loss of data is their most pressing concern with regard to cybersecurity. Radware also found that many businesses fail to calculate the cost of cyberattacks, are unsure of how to safeguard their Internet of Things devices and one-third of survey respondents have yet to come up with a cyberattack emergency response plan.
While ransomware is far from the only attack threatening businesses today, regular backups and determination not to pay the ransom can be effective measures for businesses, even when they may lack broader understanding and adoption of more sophisticated cybersecurity strategies and tools.
“Paying a hacker in these situations not only incentivizes further attacks,” said Carl Herberger, vice president of security solutions at Radware, “but it provides criminals with the vital funds they need to continue their operations.”