The Harsh Cyber Reality Facing SMBs
Since 2016, searches for ‘ransomware’ have increased 877 percent, and ransomware payments have become a multi-million-dollar business, according…
September 22, 2017 at 03:51 PM
7 minute read
The original version of this story was published on Law.com
Since 2016, searches for 'ransomware' have increased 877 percent, and ransomware payments have become a multi-million-dollar business, according to Google. More and more hackers are targeting small to midsized businesses (SMBs) more frequently than large enterprises, but many don't have the right tools to protect themselves, or realize the risks.
According to the SEC, 60 percent of SMBs who suffer a cyber-attack go out of business within six months. Why? For many SMBs it may seem cheaper to pay a ransom than to invest in sufficient cyber protections or, after an attack, conduct a post-breach assessment. Proactive preparation for the technical and financial impact of an attack is the best defense.
Jason Hogg, CEO, Aon Cyber Solutions, sat down with Inside Counsel to discuss what SMBs should be doing to protect themselves and their bottom line, as well as provide cost-effective best practices for businesses looking to address the risk before they become the next victim.
The increase in attention that ransomware is receiving reflects the sharp increase in ransomware attacks against companies, and the rise in the financial damage that these attacks have been causing. Research has found that ransomware has risen over 250 percent during the start of 2017, and another report predicts that ransomware damage costs would exceed $5 billion this year. Largescale incidents like WannaCry and NotPetya within the last year have brought more awareness to the damage these incidents can wreak, and are a wake-up call to businesses to think about the levels of protection they have in place.
Typically, through ransomware attacks, hackers can extort anything from a few hundred to thousands of dollars. Many organizations look at the cost of the fine and weigh that against what they believe are the huge costs of proactively implementing cybersecurity practices. Many feel the most cost-effective thing to do is just to take on the risk and then pay the fine if they get hit, so most companies decide to pay up.
“This is flawed logic, however, as the costs of the ransomware attack extend far beyond the cost of the ransomware payment itself,” explained Hogg. “The financial impact that ransomware causes through interrupting normal business operations while the attack is being dealt with and files are held hostage is significant. Because small businesses tend not to have appropriate protections in place, they are often the worst hit – with recent studies showing that downtime and the potential of businesses paying the hackers costing SMBs over $100,000 per incident. In total, ransomware attacks have cost SMBs more than $75 billion in damages and payments.”
To conduct a successful ransomware attack, per Hogg, a hacker relies on a company's lack of preparation – for example, its inability to recover its files from regular back-ups, and prevent the ransomware spreading throughout its systems. It's because of this reason that attackers are increasingly targeting SMBs – they tend to be easier to catch off guard, meaning the attackers can more easily recoup a ransom payment, or simply cause severe business downtime.
“This is because SMBs usually have fewer resources to invest in the preventative measures that help them fend off an attack – such as training and awareness among employees and creating regular data back-ups,” he said. “They are also less likely to have the resources to invest in creating a solid business continuity or recovery plan to put into action if they are attacked, including having a cybersecurity firm on IR retainer.”
In a recent small business survey, only two percent of the small business owners surveyed said they viewed the ransomware threat as their most critical issue. Hackers have breached half of the 28 million small businesses in the U.S. In addition, many SMBs feel they are not able to prioritize cybersecurity when they must make tough decisions on budget. it makes sense that a SMBs would expect that cyber criminals have bigger fish to fry in attacking large multinational corporations for more money.
“In many of the most recent ransomware attacks, we have seen criminals demanding a small amount of money, suggesting that causing mass disruption to businesses is the goal,” Hogg pointed out. “Recent research has shown that SMBs often find themselves unable to absorb the costs associated with this disruption.”
According to recent findings, 22 percent of SMBs that experienced a ransomware attack were forced to stop business operations immediately. Additionally, one ransomware attack can cause 25 hours or more in downtime for SMBs, which is a lot of lost revenue and damage to customer relationships and other third parties that depend on them, according to Hogg. This downtime can also cost SMBs as much as $8,500 per hour – in some cases, SMBs may even find that they are sued for third party losses caused by the attack, adding further to the financial impact.
He said, “Unlike larger organizations, with more financial reserves, many of these businesses don't have any leeway in their finances to make up for that loss in downtime. For some of them, that means they can never recover from the ransomware attack.”
So, what should SMBs be doing to protect themselves and their bottom line?
“Given the deep impact that ransomware attacks can have on businesses in terms of their ability to operate, SMBs need to be evaluating their technical vulnerabilities, but also looking at the effect these vulnerabilities could have on the business from a financial perspective,” explained Hogg. “In this sense, they should be taking a truly holistic approach to protecting themselves against ransomware. This means taking proactive action ahead of an attack.”
A few questions SMBs should ask themselves include: When was the last time you reviewed your company's disaster recovery and business continuity plans? Can you identify where all your mission critical data resides and whether regular backups are being made? Have you tested restoring data from the backup? Is the speed of data recovery acceptable? Do you have adequate network segmentation to contain the ransomware attack to a certain segment? Does your cyber insurance policy provide adequate coverage?
“Thoughtful, proactive planning to protect from the business from the impact of possible future attacks is how companies really begin to secure themselves,” he said. “However, SMBs often do not have significant budgets for extensive cybersecurity programs.”
Despite this, according to Hogg, there are fundamental proactive prevention efforts and best practices that SMBs can implement to ensure they have robust technical prevention controls in place and increase their level of resilience. First, conduct full awareness training for employees around the ransomware, including creating and testing a solid business continuity and recovery plan that teams can activate in the event of a ransomware attack. Next, creating backups is key, but more important is the granularity of the backup solution. Using a system that allows the creation of snapshots in time or maintaining multiple versions of documents as they are created over the course of the day can allow a company to restore to a specific point in time prior to the backup with minimal loss of productivity.
Third, smaller businesses may not be able to perform regular snapshots of their systems but should at a minimum consider setting up daily backups or a differential backup that is disconnected from the network. This will help prevent accidental corruption or encryption of important files in the event of a ransomware incident. And Lastly, whenever an attacker has intruded upon a company's system, whether that's through a default password on a smart device or a vulnerability in their perimeter caused by delaying an update, adaptation to prevent an attack from happening again is essential. An organization could be negligent if they haven't plugged up certain holes that they were aware of.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
GC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readLegal Departments Gripe About Outside Counsel but Rarely Talk to Them
4 minute read'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute readTrending Stories
- 1The Tech Built by Law Firms in 2024
- 2Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 3For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 4As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
- 5General Warrants and ESI
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250