This is a low-cost, relatively simple attack tool that can be easily deployed against small and medium-sized businesses. “Ransomware as a Service (RaaS) is easy to purchase or deploy with little technical know-how,” Milborn tells his CSOs. As a result, small businesses are under-resourced and poorly protected. “It is important for small businesses to reconsider how they think about ransomware and put policies and technology in place to better protect themselves to avoid falling victim to it.”
In the event of an attack, businesses should seek professional support to manage the situation, especially considering that payment does not guarantee data recovery.
There are some sobering statistics about the impact of attacks. According to the Hiscox Cyber Readiness 2023 report, small and medium-sized businesses in the United States paid more than $16,000 in ransom money last year. “Ransomware is taking a huge toll on small and medium-sized businesses,” he says, vice president of technology and cyber and product responsibility for his Hiscox insurance company, which serves more than 600,000 small and medium-sized businesses across the United States. said Christopher Hozinowski.
Of the companies surveyed that paid the ransom, only half ultimately got their data back, and half had to rebuild their systems. Additionally, a whopping 27% were attacked again and a further 27% were asked for more money, the study found. “Paying a ransom is never recommended,” Hozinowski said.
3. See cybersecurity as just a technology issue
Sage said cybersecurity cannot be addressed by technology alone; it is in many ways a human issue. “Technology enables attacks, technology makes it easier to prevent attacks, and technology helps with post-attack processing. But for that technology to be effective, at least for now, it requires a knowledgeable human being. ” they say.
This has implications for other issues such as lack of budget and lack of dedicated cybersecurity responsibilities. “These are significant challenges for SMEs, which end up relying on providers for support without guidance or clear direction on compliance frameworks,” says Iqbal.
Iqbal recommends that small businesses always refer to government resources for guidelines and best practices, and at least start with the recommended basic protections. For example, in the US, the Small Business Administration and the Federal Communications Commission both have information and resources, while the UK's National Cyber Security Center has guidance, and the Global Cyber Alliance (GCA) also has a small business toolkit. I have. The Australian Signals Authority also provides a guide for small businesses.
Sage added that since most companies use Google Workspace or Microsoft Office 365, their respective knowledge bases are rich in information. Outside of these platforms, look to local sources for guidance. “Local community colleges, town and county small business centers and economic development departments should also be able to connect you to cybersecurity resources, as well as state commerce departments,” Sage told CSO.
4. Not adopting proper cyber hygiene
Developing good cyber hygiene habits should be easy, but there are times when you succeed and times when you fail. For example, Iqbal says it's very common to be allowed to use weak passwords. I also discovered that the default passwords for logins have not been changed and that all passwords for security his servers have been changed to his one password and there is no separate administrative password. “Administrator accounts are the most lucrative accounts for attackers to compromise. He only has to compromise once and the keys to the kingdom are exposed to all potential threat actors.” says.
Although backups are widely implemented, small businesses often overlook the importance of backup testing. If your business is attacked and your backups fail, it can be catastrophic. “We want to be able to recover and mitigate damage from threat attacks, which means we need to have reliable backups that are checked to ensure they are not corrupted or have other issues. Yes,” says Iqbal.
