It seems even dragon-based economies are not immune to ransomware attacks. At the time of writing, HBO was facing down a group of hackers who claimed to have ‘kidnapped' 1.5 terabytes of proprietary and confidential data – including details of yet to be broadcast episodes of Game of Thrones, and the personal details of its stars.
In the process, the hackers reminded us that cyber-blackmail is a lucrative business. They claimed to earn £9 million to £11 million a year from blackmailing organisations, and told us that HBO is their 17th target to date. Only three have refused to pay up so far they claim.
HBO – like Sony before it – is an obviously attractive target. In this case, money, kudos and the fate of Jon Snow are all in the mix. But the presence of such potentially rich pickings doesn't diminish the threat faced by SMEs: there is no safety in (small) numbers; no refuge in flying under the radar.
According to Malwarebytes' second Annual State of Ransomware Report, in which we spoke to individuals responsible for (or knowledgeable about) cyber-security issues at SMEs around the world, most small or medium-sized organisations in the UK have experienced several different security attacks and data breaches in the past year. And more than a third have experienced a ransomware attack.
These organisations aren't being hit with demands for a king's ransom. At this level, attackers appear to be going for several small hits rather than one big takedown. The average demand was £700 or less, and only 13 per cent of ransom demands made of UK-based organisations were more than £7,000.
But it's the consequent operational chaos that really damages SMEs. For more than 15 per cent of those surveyed, a ransomware infection caused more than 24 hours of downtime.
A small number even reported more than 100 hours without their IT systems – with customers, suppliers, staff, partners and vendors all being affected. At about a fifth of survey respondents, staff resorted to personal laptops, phones and tablets to get around the absence of corporate IT – itself a security risk if not managed effectively.
But the bigger worry is the one in five organisations who said they had had to stop all business operations immediately after a successful attack, and the same number who reported lost revenues after they were hit.
Of course, many ransomware attacks are in fact elaborate hoaxes. When UK firms chose NOT to pay the cyber criminals' ransom demands, it led to a permanent loss of files in less than half of all cases. In Germany and France, firms were even less likely to lose files from their decision not to pay.
Still, organisations in the UK are the most likely to hand over the cash. Nearly 40 percent of UK decision-makers feel they should meet the kidnappers' demands, compared to 21 percent in the US, 16 percent in France and 17 percent in Germany.
There is also an interesting contradiction in the way UK firms feel about their defensive capabilities, and the amount they invest in protecting their organisation. Seventy-one percent of firms say that addressing the ransomware problem is a top priority; 68 percent are investing in resources, technology and funding to address the problem; and 53 percent are investing in education and training for end users.
Most UK firms have deployed email security to address ransomware and have regular, on-premise backups of data so they can restore ransomware-infected machines to a known good state as quickly as possible. Many have also implemented network segmentation, the use of outsourced security providers, on-premise ransomware-detection solutions, and regular, cloud-based backup capabilities.
But despite these investments, less than ten percent of UK firms are very confident about their prospects for stopping ransomware attacks. Twice that number had little or no confidence. And businesses won't be the only ones affected by this, we need to consider what's next for ransomware. For instance, utilities and airline ticketing systems are both in the crosshairs of ransomware and if effected, could have even greater consequences for society at large.
And so, the debate about how best to address the ransomware problem carries on. Educating people? Or a more technology-focused approach?
The truth is, it's both. More than a third of firms have no idea how ransomware enters their organisation. That in itself is a good argument for directing resources to investigating the weak links, developing defensive strategies in response, and arming your people with knowledge and tools to deal with it.
Justin Dolly, EVP, chief security officer and CIO at Malwarebytes
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.