“All your important files have been encrypted…” This simple phrase can cause chills in even the most prepared and protected organizations, because even if you have properly prepared, there is always the doubt: “Are you prepared enough?” For organizations that have not prepared, this pop-up message could mean the end of your business.
Ransomware is a form of malicious software; its goal is to block access to files or systems until the ransom is paid. Most of these attacks begin as some form of social-engineering attack, phishing email, or corrupted website with an attachment or malicious link. When the user is enticed into clicking the link or file, the ransomware is launched. Once it is running, the ransomware takes control of the system, and certain file types will be encrypted, then a “ransom note” is displayed with instructions on how to pay the ransom and regain access to the data.
Networking giant, Cisco Systems issued a report that says, “Ransomware attacks are growing more than 350% annually”, with no real end to them in sight. The Cybercrime Magazine publisher Cyber Security Ventures tells us that “a business falls victim to a ransomware attack every 14 seconds.” We’ve seen these attacks in the media a lot lately, with the Russian-based cybercrime gangs such as Darktrace (Colonial Pipeline) and REvil (JBS Meat processing and IT service company Kaseya) targeting large companies across the world. However, small and medium sized businesses shouldn’t feel safe and secure that these gangs are only targeting large companies with deep pockets.
Small businesses may be a better target for cyber criminals than large corporations, because they still have data, information, and resources that the criminals can prey upon, but often lack the security staff, training, and infrastructure that larger businesses use to protect their assets. A recent survey by the U.S. Small Business Administration reports that “88% of small business owners felt their business was vulnerable to a cyber-attack.”
Ransomware tops the list of threats that small and medium-sized businesses (SMBs) face today and will likely be the top threat for many years. There are a lot of reports available on the cost of ransomware, with the low end of the ransoms being reported in the ballpark of $25,000 and the high end for SMBs being around $200,000. The FBI warns all businesses that beyond the ransom, there are recovery costs as well.
Those extra costs of dealing with a cyber-attack can be catastrophic to small and medium-sized businesses. Some of the costs can include the damage or destruction of a company’s data, lost productivity and downtime, loss of intellectual property, theft of identity data or financial data for staff and customers, time and resources for incident response and investigations, restoration of data and services, replacement of compromised systems, loss of customer faith; harm to reputation; company devaluation; possible lawsuits and government; industry or regulatory fines, fees, and censure. These extra costs can range from $150,000 into the millions, depending on the size and scope of the business, plus the intangibles like loss of consumer confidence and damage to reputation.
Cybercrime Magazine says that, “more than half of all cyberattacks are committed against SMBs, and 60 percent of them go out of business within six months of falling victim to a data breach or hack.” Those numbers are horrible, and then we make them worse with the COVID-19 pandemic. Since the pandemic began, almost half the workforce in the U.S. that can, is working from home, which complicates operations and introduces more risk. Your employees are accessing, generating, and sharing data from their home offices, living rooms, and kitchen tables, on networks that are not secure. The work-from-home force’s computers are not behind any firewalls and they are difficult to patch remotely as they log into resources and applications, increasing risk yet even more.
What can SMBs do to protect themselves from these intrusions and extortions? The methods of protection have not seen the same level of advancement and development that ransomware itself has, but there are steps an SMB can take to minimize the risk and improve their chances of survival.
• Modern “Next Generation” firewalls are capable of intrusion prevention and deep inspection. These firewalls typically use live signatures (updated regularly) to block network exploits like ransomware – but are only as good as their signatures.
• NS filters and “Blacklists” can be implemented, to stop connections from internal devices from connecting to known malware domains to download malicious content or to “phone home” and communicate with the attacker’s malware command and control.
• rowser isolation for desktops can help avoid many “drive-by-exploits” where hackers leave malicious code on a website and wait for visitors. Browser Isolation opens a target web pages from a remote secure server before the user does. If the destination is malicious, the user is stopped from going there and prevents exploitation.
• robust Anti-malware or Endpoint Detection and Response product that can scan all files to make sure they are not malicious (not a foolproof solution, many ransomware files are new and there exist no “signatures” to scan for) and protect your workstations.
• Email-security filters can be used to reduce spam and phishing attacks by watching for known email addresses, domains, malicious links and scanning documents, executable files, and zip files before they’re opened.
• An organization can impose “least privilege” on systems, restricting the types of software that can be installed on a device, as well as restricting the network shares users have access to. These restrictions can be used to prevent a user from accidentally installing malware, or if infected – from spreading it to network shares and other systems.
• User-awareness training helps a security team train users to how spot and avoid potentially harmful or untrusted websites, spot suspicious emails and how to report them to your security team.
• Backup all critical systems and data, if you do get hit by ransomware, the solution is a strong and robust backup plan – not paying the ransom. The best backup plans, follow the 3-2-1 best practices for backup and recovery: keep at least three copies of your data, keep the backed-up data on two different storage mediums (hard drive/cloud, tape/DVD), and keep at least one copy off site.
• Lastly, if you do not have a robust security team, that does not mean you cannot use the above steps to secure and protect your business. Consider hiring a managed-security service provider (MSSP) who can manage your system upgrades, system changes, modification, security policies, vulnerability scanning, network monitoring, security-awareness training, and endpoint protection. If you cannot afford the staff and expertise to do it yourself, the cost of hiring an MSSP to do it for you is typically less than trying to recover from an attack you were not prepared for.
Jeffrey Isherwood is a cybersecurity analyst at M.A. Polce Consulting Inc., a Rome–based provider of managed IT and security services to businesses and nonprofit organizations.