E-commerce

Busting ransomware myths: why small businesses are exposed to attack

When it came to protecting its data, the agricultural business had a backup plan. In fact, it had a backup shed, so if a fire took out the main server, it would have perfectly synced backup data ready to go.

A fine plan for a fire, it was little use for combatting the ransomware that infected the company’s main system only to be synced to the backup servers as well.

It’s an example of how ransomware is turning business continuity planning on its head. Yet despite soaring ransomware attacks, a remarkable number of myths persist.

Myth 1: Ransomware attacks are a fringe threat
Ransomware attacks now make up a quarter of cyber incidents, costing an estimated $20 billion in 2020.

More importantly, ransomware is a growth industry, overtaking the drug trade as a lucrative source of funds. By 2031, the global ransom burden is estimated to climb to an incredible $265 billion, with attacks every two seconds.

Myth 2: Ransomware attacks are random
When ransomware first appeared, attacks seemed random – with victims singled out because they clicked a link or were fooled by phishing.

But the emergence of ransomware-as-a-service (RaaS) has allowed crime gangs to hire cyber attackers to use ransomware as a fundraising activity.

For these groups, volume is important, and attacks are carried out at a price point crafted to be within a small target’s means to pay.

Myth 3: Ransomware attackers only hit big business
Big targets make the news but most businesses affected are small to mid-size enterprises — in fact, 75 per cent of victims in 2021 had fewer than 1000 employees.

The reason lies in the lack of IT protection for many of these smaller companies that usually outsource planning or services elsewhere.

For these companies, attackers often compromise what is known as the remote desktop protocol, a standard inclusion on many machines, or use email phishing techniques to gain access.

Myth 4: Your only option with ransomware is to pay
Between a third to a half of infected companies pay something to criminals holding their data but that is no guarantee of getting files back.

In fact, a survey by cybersecurity group Sophos of 5400 companies found of those who were attacked and paid, only 8% recovered their data in full. On average only two-thirds of files were restored.

Up to 80 per cent of companies are also attacked again, a short time after paying the ransom.

Regardless of whether you pay, however, the real cost lies in addressing your system’s vulnerabilities, estimated to cost 10 times an average ransom to address.

Myth 5: There’s nothing you can do to prevent an attack
No solution is a silver bullet but organisations can reduce the risk of successful attacks.

Keep systems up-to-date with the latest versions and patches, particularly common systems such as Microsoft Windows, Office and Acrobat Reader.

Train staff to identify phishing emails, reducing the risk of unleashing malware.

Seek technical advice around limiting ransomware spread or stopping its execution, so systems can be isolated or protected.

And always have a recent, complete working backup, tested for recovery and completeness that can be isolated from the rest of your system. This is not the time to rely on the server in the shed.

This story originally appeared in our sister publication, Inside Small Business.