A well-known hypothesis posits that businesses become more effective over time, developing methods to reach maximum efficiency. And that process has been taking place in the hacking business as well. It turns out that ransomware – where hackers lock up a system until a ransom is paid – is the most efficient form of hacking, requiring the least amount of work for the highest possible payout.
With ransomware, hackers don't have to vet the data they compromise, and it doesn't matter how big or small a victim is – if the data is there, it is by definition valuable to the victim, and thus a target. And even more efficient for hackers is targeting small businesses, which likely don't have the automatic and up-to-the-minute backup and restore system that they can use to replace the locked version of their data. The only way out for many small businesses to pay – and pay they do.
With a ransomware target painted squarely on their backs, small businesses need to take cyber-security more seriously than ever. Fortunately, there are some not too difficult things small businesses can do to avoid becoming a victim. From helping employees to identify e-mail threats to installing technology to keep threats away altogether, there are numerous things businesses must do to protect themselves.
For small business people, the most relevant form of measurement is the shoestring – as in, everything we do is by the shoestring. Shoestring budget, shoestring resources, shoestring assistance, shoestring strategising. That goes for cyber-security, as well. An enterprising entrepreneur who is concerned about getting attacked by cyber-thieves – attacked by ransomware, for example – is likely to do a lot of research on how to protect themselves, and try to pay as little for that protection as possible.
But experience has shown that there are some things it doesn't pay to economise on. Having worked with dozens of customers large and small, it's clear that cyber-security – even for a small business – is a full-time job. And that's not a job an entrepreneur who is juggling a dozen other things in running their business has time for.
It's not just my clients; ransomware has become the new go-to cyber-threat – because it works. Attacks by hackers that lock up data unless a ransom is paid shot up an unbelievable 6,000 percent worldwide in 2016 over the previous year. According to the FBI, hackers “earned” over a billion dollars in ransomware attacks in 2016, some five times over the amount they netted in 2015.
But despite the big numbers, it's small “customers” who may be suffering the most. According to one study, the average payment demanded by hackers for releasing a system was US$ 679 (£524 ) – an amount that seems paltry, almost, except when you put it in context with who the victims of these demands really are. There's reason to believe that small businesses are among the primary targets – perhaps even more than big businesses - of ransomware hackers. One study shows that in 2015, 43 percent of all cyber-attacks, especially ransomware attacks, targeted small businesses.
But big businesses have a distinct advantage over small ones: They can hire people to keep an eye on all the ways ransomware infiltrates an organisation, and work on ways to keep it out. Of course, like most malware, ransomware has its source in phishing messages that are passed onto a user's inbox. Whether it's in the form of a link to a malware-laden web page or an attachment loaded with bad code (macros, etc), hackers have a million ways of socially engineering their messages to fool users into clicking.
If that's the big threat – if socially engineered e-mail messages are the primary way for hackers to hoodwink ransomware victims - one would think that an entrepreneur working by him or herself, or one who has five or six or even a dozen employees, would be able to secure their ship. Certainly they would never click on a rogue link themselves; and it should be a simple matter to warn a few workers not to do so either.
But that is not the case at all – and in fact, it could be that the lone entrepreneur is even more at risk than the secretary in a large organisation who spends his or her day processing e-mail messages. Involved as they are in every level of business, the small entrepreneur is perhaps easier to manipulate; a purported message from the tax man that for all the world looks like the real thing might divert their attention from the rules they need to observe in order to avoid attack, like checking the information on the form they receive: the address on the message (obviously, a message from HMRC is not going to come from the crazeeluv.net domain). In a moment of pressure or weakness, the entrepreneur might click on the very realistic-looking message – especially if, as sophisticated socially engineered messages often are, it is addressed directly to the recipient and contains information that is very relevant to them.
I've seen it happen a million times – well, at least a few hundred – with all sorts of clients. At a small hospital; a dry cleaner; a large defence firm; and many others. No-one, it seems, is immune to the call of social engineering. The excuses are, as one would expect: In a big business, employees are less committed to the company's cause, and figure that the IT department will save them. And in small businesses, pressure and lack of time to pay attention to cyber-details are the culprits.
In my opinion, the only way around this is to outsource cyber-security – not to a team, but to technology. Products that enable organisations to detect and remediate security threats that originate from their users' email accounts by scanning attachments, contents and URLs.
Another successful strategy involves ensuring that backups are fresh and constant. By backing up data several times a day, businesses can ensure that, even in the event of a ransomware attack, they will simply be able to swap out their tainted data and systems with a clean copy. Ideal for this approach is an always-on cloud-based backup, which will allow entrepreneurs to revert back to a specific point in time – before the attack compromised the system. And for those who can afford it, a full-service MSSP (Managed Security Service Provider) that takes the burden of dealing with threats off the shoulders of an organisation is a good strategy. For small businesses, an MSSP that offers á la carte services (managed firewall, intrusion detection, VPN, e-mail monitoring, etc) could be a good solution, with the small business or entrepreneur using the services they need and/or can afford.
And of course, common sense still comes in to play. If pressure is causing mistakes that lead to ransomware attacks, then maybe it's time to hire some extra hands to help out. Too many small business people see cyber-security as an optional (if important) activity that needs to wait until the “important” work is done. For some, it may take a $679 hit to bring them to their senses – but by undertaking these steps it might be possible to learn the lesson of how to protect an organisation from ransomware a lot more cheaply.
Contributed by Itay Glick, CEO, Votiro
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.