How ransomware has forever changed the security landscape for small and mid-sized businesses

Up until recently, it was thought that companies only needed a detailed security program if they were handling sensitive data. If you weren’t collecting customers’ credit card information, data related to their personal health or wealth, or other private data, you were likely safe from the most persistent cyberattacks, specifically ransomware attacks. With ransomware, an attacker can lock up your business’ data or systems and demand your business pay a sizable ransom to decrypt and unlock said data. The larger the organization and more valuable the data, the higher the ransom. Because small and mid-sized businesses (SMBs) weren’t collecting valuable sensitive data, they assumed they were safe. Worst case, they’d pay a small fee if they were unexpectedly hit.

But the in last several years, the way hackers use ransomware has changed drastically and it’s left every business vulnerable.

Hackers are changing the game—and winning

Today’s hackers are no longer solely focused on locking up sensitive customer data—they’re stealing company data and threatening to post it online if companies don’t pay or pay quickly enough. This information can be anything that would result in bad press, a lawsuit, or embarrassment for the brand, an executive or an employee if made public. They’re looking for emails between you and your mistress or emails between colleagues who are venting about their boss or their customers. Hackers are also pulling salaries that show the discrepancies in pay for people doing the same job. If an email or system contains information you wouldn’t want the general public to see, it’s of value to an attacker and can be used as leverage to persuade you to pay the ransom.

They’re also using more sophisticated tools and running scripts that scour the internet and send thousands of automated phishing emails to companies of all sizes. Their attacks are no longer highly targeted. They’re casting a wide net and taking advantage of any fish—big or small—that swims in.

With this shift, attackers are increasingly hitting SMBs with ransomware attacks. In fact, an Iowa grain co-op—arguably the least likely business to appear on a hacker’s radar—was recently hit with a $6 million ransom.

So what does all of this mean? It means that everyone is a target, and ransomware is simply a side effect of existing on or using the internet. 

SMBs can’t afford to play

Though the ransom for an SMB may be smaller than that of a Fortune 100 company, the results of a ransomware attack can be catastrophic and extend further than the sum of the ransom. In fact, the National Cyber Security Alliance estimates that 60 percent of companies that have experienced a data breach go out of business within six months.

That’s because when a bad actor attacks, they don’t just lock up the incriminating data. They lock up all your systems and your business can’t function as it should. Businesses are designed to continuously keep customers happy. But if your computer or your email doesn’t work, you can’t communicate with customers, place inventory orders, fulfill customer requests, keep your manufacturing lines working or access the systems you need to ensure your business is operating smoothly. Even a few days offline can be devastatingly costly.

If the kidnapped information is leaked, it could result in excessive costs related to bad press and lost customers or even lawsuits. Recovering from a ransomware attack is no longer only about getting your data back or recovering files from your backups. It’s about minimizing the costs to ensure your SMB survives the attack. 

Cyber insurance has been thrown out

One of the ways businesses have historically tried to minimize the financial devastation caused by a cyberattack is through cyber insurance. When a business would purchase liability insurance, a rider often included coverage for cyberattacks for a nominal fee. But over the years, insurance companies have had to pay too many ransoms, so the cost of cyber insurance has increased dramatically to the point where many SMBs can’t afford it.

In addition to the hike in premiums, many insurance companies are refusing to cover businesses that don’t have certain cybersecurity capabilities in place. Your business needs to be able to prove that you’re being diligent about security to get coverage from your insurer, and many businesses don’t have the experience in house to set up these solutions. 

Easy money means more people are entering the industry

Because every business is now susceptible to ransomware attacks, which are proving to be very profitable, ransomware has become a booming industry. More and more players are flooding into the space and many of these hackers are talented. Cyberattacks are no longer orchestrated by lone wolf hackers. There are malicious companies building new, better versions of malware and selling it to hackers and sharing profits. The Italian Mafia has invested heavily in cyberattacks and even nation-states are getting in on the action.

In short, the industry is getting pretty aggressive, and the pool of attackers is growing significantly, as are the profits and tools they’re using to break into your environment. So if you haven’t invested in cybersecurity, now is the time to do so.

Why your in-house team can’t compete

Unfortunately, SMBs rarely have in-house security teams that can provide the necessary coverage, partially because they weren’t needed until recently. If your company didn’t have a regulatory obligation to secure your data, you didn’t need to invest in a strong security posture. Many SMBs will ask their IT person to take on security responsibilities, but IT and security are drastically different and require a completely different set of skills. It takes decades of dedicated work to understand how to create a secure environment and it’s unlikely that IT will be able to make an impactful change at your organization in a few weeks or even months.

It’s also worth noting that IT probably doesn’t want to take on security. Beyond the herculean task of learning about effective cybersecurity tactics, and the 24×7 nature of a security role, security is often seen as something that gets in the way. And, if you focus on the wrong items, it will be. An effective cyber defense requires a culture shift to embrace security, which is a lot for one person to take on. You need to start building tools and processes with security in mind. And if security is new to your business, you likely need to weed out a lot of bad practices while spending limited dollars in areas where you can actually reduce your company’s risk.

The person—or people—tasked with implementing security best practices at your organization needs to present new changes without upsetting the people who have to implement these changes. If done poorly, implementing new security measures can cause friction and pit one employee’s process against another’s. Change is typically accepted faster when an outside agency is highlighting the shortcomings and offering solutions, which is why I often recommend outsourcing your security efforts to an expert.

Get a security partner to play on your team

Outsourcing your security efforts to an MSSP like SolCyber is an incredibly easy and effective way to protect your small or mid-sized business from a ransomware attack. MSSPs can act fast to increase your security posture and they provide the 24×7 protection you need to remain safe. They’ll even proactively hunt for predators and scan your systems for new forms of malware to prevent a breach from occurring. They can also help lead the culture shift that puts security at the forefront of the way you conduct business.

Stay tuned for our blog on why frameworks don’t work, and in the meantime, read some of the other articles on the SolCyber blog to learn how you can further protect your business from an attack.

Scot Hutton is a retired Marine and current IT executive that puts people first. He leads the information security program for a 20+ billion-dollar real estate firm. He specializes in creating a better human experience and safe working environments with security controls that don’t limit human potential by focusing on “Security that Matters.”