Ransomware Myths Businesses Need to Immediately Stop Believing!

Despite all the daily ransomware headlines, most small and medium-sized businesses (SMBs) don’t consider themselves to be at risk from cyberattacks.  Smaller organizations are in fact prime targets!  Ransomware authors have upped the ante in their methods to ensure they get paid. For example; instead of just encrypting all of your data, most of the ransomware groups are now threatening to expose or sell the data stolen in a breach.  This means an attacked business could have to pay heavy fines for PCI, HIPAA, GDPR and other regulation violations.

In some cases paying the ransom might be the most cost effective (and least publicly embarrassing) option. But what if your business can’t afford to pay the ransom? What if the downtime from the attack is too much to recover from? What’s the long-term business impact?  I'm talking about the psychological and emotional toll on not just your employees...but your customers!  Will they ever trust you again?

Here are the 3 most common myths about ransomware businesses need to immediately stop believing and start protecting against.

Myth#1: My company isn't big enough for attackers to notice

Wrong! Every business is a target for ransomware, no matter the size. The international insurer Hiscox released a report which shows since 2018, up to 86% of SMBs have reported being victims of ransomware each year. And according to the 2020 report released by Verizon, “[Ransomware] is a big problem that is getting bigger, and the data indicates a lack of protection from this type of malware in organizations.”

I’ve listed this myth first because it’s probably the most dangerous one that people tend to believe. For most small to mid-sized organizations, a single cyberattack could literally put them out of business. Larger enterprises typically have bigger security budgets, an IT department, and they'll most likely have more advanced methods for mitigation and recovery allowing them to not just survive an attack but fully recover with minimal impact.  Unfortunately smaller businesses may have no way of making up for the loss of time, revenue, and damage to customer trust that an attack would have.

Radware conducted a survey to investigate the cost of cyberattacks on businesses. The study revealed 43% of companies that took part in the study said they had experienced negative customer experiences and reputation loss as a result of a successful cyberattack.  Previous studies suggest that as many as one third of customers will stop doing business with a company that has experienced a data breach. A study by Gemalto paints an even bleaker picture. In a global survey of 10,000 individuals, 70% claimed they would stop doing business with a company that had experienced a data breach.

The hard fact is ransomware is not going away, and it’s only getting more costly for SMBs. Businesses can’t afford to underestimate this risk and need to start taking this threat very seriously.

Myth #2: There is no way to properly prepare for a ransomware attack

The sad truth in today’s constantly connected cyber world  is that an attack is practically inevitable. I've spoken on stages and at conferences across the nation over the last 20 years, and during just about every one I've stated "it's not a matter of if you're attacked or have an outbreak...but when".  The idea is to get people to start thinking about reducing the likelihood of an attack, and making sure their data, critical or otherwise, is protected in the event an attack actually succeeds.

If you're not sure where to start, here are a few steps you can take now to get started.

  1. Test your existing security posture
    You've most likely paid someone a nice chunk of change to secure your environment, perhaps you even have an internal IT dept with a security specialist.  Fantastic!  When was the last time you (or they) ran an actual ransomware test against those protective measures?  Not just a vulnerability scan, I'm talking about an actual assessment using the same methods the attackers use.  If your contractor/consultant or your IT dept don't have this ability, register for our free assessment. You have nothing to lose by testing.
  2. Proactively defend against ransomware attacks
    Ransomware typically gets into an organization by tricking a user into downloading a file or enabling macros. This then allows them to install their agent and that is how they begin reconnaissance on and in your environment. The actual attack is rarely performed immediately, thus the need for constant (24x7) monitoring.  Using both a reliable endpoint protection solution (which you probably already have) along with constant monitoring (which you probably don't have) your business stands a much better chance of fending off an attack.  The attackers do things that a good monitoring service should pick up on, and hopefully block instead of just sending out an alert and leaving the response up to someone else.
  3. Protect your data
    The ransomware business model works because losing access to your data can cause serious damage. Hopefully you already have strong backup solution in place. If you're relying on your end users to manage their own backups - you're asking for trouble. Your backup solution should be comprehensive and include all of your devices and data.  There are a few great options out there and we would be happy to assist.  Or if you'd rather do it on your own...you can check out Datto, Carbonite, and even look into what you may have in your Microsoft suite licensing.

If you still have questions and would like to discuss which layers of security your business should have...I'd recommend starting with the free risk assessment so we can get a true picture of what your current security posture is today.

Myth #3: I have a backup, so I’m safe

If your business gets hit with an attack, you can and should expect some downtime.  if we accept the maxim “time is money,” then any amount of downtime is costly and potentially damaging. Having backups in place is crucial, but you also need to be able to recover the data you need quickly from safe backups that haven’t also been infected with the ransomware.  Yes, the attackers will try to infect or corrupt your backups prior to initiating the attack.

One way to help secure your backups is to enable 2-factor (2FA) or multi-factor authentication (MFA) for your backups.  Actually...I'd recommend this for everything that supports it, but we're just talking about backups now, so I'll get back on track.  If your backups don't have or allow the option for 2FA/MFA then we should seriously discuss looking into something that meets your needs and supports 2FA/MFA.

Larger organizations will typically have more resources to invest in redundant servers, secondary locations, off-site storage, etc., but these typically come at a cost out of reach for most SMBs. If that sounds like you, you’re not alone. We recommend you look into some of the disaster recovery as a service (DRaaS) offerings from someone like Datto or Carbonite so you can leverage the cloud to ensure your critical business systems are online and accessible, no matter what happens on your local network.

Next Steps

Using a combination of proactive prevention and recovery is key for staying cyber resilient. If you start working to address the ideas outlined in this blog, you’ll greatly improve your chances of avoiding a ransomware attack; and getting through it successfully if you do happen get breached.

The recommendation for constant monitoring is of the reasons we at London Security partnered with Blackpoint Cyber in order to provide Security Operation Center services (SOC) that are 24/7/365.  This was something we did ourselves, but that was pretty taxing even for us.  So we partnered with Blackpoint to not only provide this service to our customers, but to also provide this service for us.  You can never appreciate the true value of having automation and actionable capabilities until they're proven in protecting your environment.  Then and only then will you become a true believer. 

If a security event is flagged at 1 AM on a Saturday morning, you shouldn't rely an alert being logged or sent to whomever you have assigned, and then hoping they respond in time to investigate and remediate the issue before your business is fully compromised.  When every minute counts...you can't afford to wait an hour for a response.