By Jim Kandrac, President and Founder, UCG Technologies | Published by IBM Magazine – Power Systems
It’s disheartening to read stories like the one about Wood Ranch Medical in Simi Valley, California. In August 2019, its servers were hit by a ransomware attack so devastating that the clinic was unable to recover data even from its backup drives. The loss of the medical records of its nearly 6,000 patients was too much to handle and the clinic shut down on Dec. 17.
Stories like these are becoming all too common as ransomware tracks toward becoming an $11.5 billion market this year. They also dramatize the vulnerability of smaller businesses to this new breed of cybercrime. As cybercriminals increasingly target what they believe to be the most vulnerable victims: small and midsize businesses (SMBs).
Yet even as data breaches have become a headline topic nearly every day, many end users continue to turn a blind eye to the risks to their businesses. They think it won’t happen to them despite the consensus of many security professionals that nearly every business has already been breached by attackers who typically leave back doors for their return visits. And you might be surprised to learn that small businesses are at greater risk than enterprises.
Smaller firms are less able to withstand this new breed of attack in which ransom demands can cost millions. Datto reported that 85% of MSPs reported ransomware attacks against SMBs over the last two years, with 56% seeing attacks in the first six months of 2019. Malwarebytes found that 22% of companies that are attacked cease operations immediately. Smaller businesses are the most vulnerable to a catastrophic impact. Unfortunately, they’re also increasingly in cybercriminals’ crosshairs: 43% of cyberattacks last year targeted small businesses, according to Verizon.
Despite all of this evidence, our experience indicates that many organizations are still frustratingly blasé about shoring up their cybersecurity defenses. One company signed up its entire 1,000-person workforce for a security training program, but just over one-third of employees bothered to show up. Partial awareness is as bad as no awareness at all.
At another company whose employees had completed a training program in phishing awareness, 20% of the people who were sent a test phishing email clicked on a link they didn’t recognize. Given that four out of five of malware infections start with phishing, according to Positive Technologies, such lack of awareness is an invitation to disaster.
IT managers are keenly aware of the threats facing their businesses, but their requests for cybersecurity funding are often brushed aside by senior executives who believe their companies are too small to command the notice of cybercriminals. Ironically, executives who throttle spending on security think nothing of writing large checks for liability insurance while leaving their data exposed.
Executives who believe their companies are too small to merit the attention of bad actors fail to see how the landscape has changed. Thanks to massive data breaches in recent years, credit card numbers and personally identifiable records are now literally a dime a dozen on the dark web. “Criminals already have a mountain of private health information and personally identifiable information,” says Justin Reinmuth, president of The Technology Risk Underwriting Group (techrug), a Columbus, Ohio-based insurance agency that specializes in cyberprotection. “Now they’re focused on tricking you into sending money or shutting down systems for a ransom. This is a money grab.”
Social engineering and spear phishing attacks are the new frontier of cybercrime. The bad guys use targeted email, spoofed communications from suppliers and business partners, and fraudulent EFT requests to convince their victims to send them money, believing that it’s for legitimate business purposes. Ransomware is now big business. The average ransom demand nearly doubled this year to almost $13,000, according to Coveware, and the cost of downtime to victims can be many times that amount.
It isn’t hard to guess which companies are the favorite targets of these focused: It’s SMBs that are the least likely to have sophisticated protections in place and most inclined to do business on a handshake. It’s not surprising that nearly 70% of ransomware attacks in 2018 targeted small businesses, according to insurer Beazley Group.
Another irony for frugal executives is that the most effective tactics for avoiding ransomware and spear phishing attacks are relatively inexpensive: frequent encrypted backups, employee education, multifactor authentication, email scanning and domain filtering. These five practices can collectively prevent the majority of security breaches. Costlier protections like intrusion detection, prevention systems and firewalls are now available as services on an affordable subscription basis.
An increasingly popular option is cybersecurity insurance, which is now nearly a $2 billion market, but don’t look at these policies as “get out of jail free” cards. For example, techrug requires potential clients to respond to a 42-question risk assessment form that covers everything from policies to perimeter security. Its approach is “trust but verify,” Reinmuth says. “We’re pretty aggressive about the risk assessment, but that allows us to negotiate favorable rates” for companies that take security seriously.
Lower insurance rates are just one payoff of enhanced cybersecurity awareness. The bigger dividend is one I hope you never have to cash in: It just might keep your company in business.