Many of us check to see if our doors are locked before we go to bed. We might be pretty sure it’s already locked, but we know it’s worth double checking just in case. It’s common sense. That’s why it’s so surprising to see, according to a recent UK report, that only a third of businesses check their own cyber security locks by conducting a cyber risk assessment.
Throughout the report, there is a stark contrast between the amount of breaches companies are experiencing and the measures they are taking to prevent these breaches from happening. For example, the report found that nearly 40% of business surveyed reported at least one attack or breach within the past 12 months. What’s more, for many of these businesses, a breach is not a one and done experience. Half of the organizations that were attacked said they’ve experienced an attack once a month and a quarter of these businesses report attacks on a weekly basis.
If your home was being broken into on a weekly basis, you’d probably start double checking those locks. Yet, according to the report, businesses are not taking the necessary steps to protect themselves. In addition to the lack of cyber risk assessments, only 33% of businesses have a formal cyber security policy. And while phishing scams accounts for 83% of the attacks businesses reported, only 14% of businesses have conducted any sort of cyber awareness training within the past year.
In a blog post on the report, Phillip Virgo makes the important point that cybersecurity measures need to be considered within the context specific to a business’ size and industry. And he’s right, there is no one size fits all approach to cybersecurity. In order for any sort of protections to be useful, it’s vital those measures are not only suited to an organization’s size and industry, but also aligns with their specific business strategy.
At the same time, however, this doesn’t mean there aren’t steps every business should be taking to protect themselves and a risk assessment is a good way to start. Anything less isn’t just leaving your door unlocked, it’s leaving the door wide open with a welcome mat out front.
The prominence of ransomware within the already crowded cyber threat landscape has been in the headlines for the past few years. But what you won’t see in the headlines is the fact that small businesses are the ones bearing the brunt of the onslaught. Ransomware is a form of attack in which hackers encrypt or steal your data then demand a ransom before giving you back access. And, according to Coveware’s ransomware report for Q1 of 2021, 73%of all reported ransomware attacks this year targeted businesses with under 1,000 employees. Of course, there are plenty of large companies that have to deal with ransomware, but it’s high time we start looking for solutions to the very real threat that small businesses across the country are grappling with.
There are a number of reasons ransomware attackers focus their efforts on small businesses. For one, these attackers are opportunists. They’re not looking to crack the toughest systems, they’re looking for a quick buck. Since small businesses probably don’t have the sophisticated and expensive security tools in place that big corporations do, the bad guys see them as easy pickings.
Another big reason small businesses are targeted by ransomware is because the consequences of having their system’s shut down are far more costly for small businesses. According to Coveware, the average downtime following a ransomware attack is 23 days — up 10% from Q4 of 2020. Last year a small business in Kansas with only 8 computers was hit with ransomware and paid the hackers $150,000 for to regain control of their systems. Explaining why the company decided to pay the company’s CFO said, “If we don’t pay them, we don’t have a way out of this, and business just stops, so it’s quite a scary situation.” While cybersecurity experts tend to advice companies not to pay ransom, and new evidence shows 92% of companies never get their data back after paying, the stress, fear, and consequences of being down may be enough to give into the demands.
When it comes to ransomware and small businesses, it’s clear the stakes are high and only getting higher. It’s essential we start focusing our efforts on helping these businesses take reasonable and affordable steps that can help prevent attacks and protect their data.
To help, use the acronym R.A.N.S.O.M for 6 simple steps that can go a long way toward preventing and protecting your small business against ransomware:
Remote access protections and patching
Given the rise of remote work since the pandemic, hackers are increasingly using remote access to install malware. Having remote access protections in place is therefore essential for preventing an attack. Even simple steps like robust firewall settings and requiring the use of VPNs and adding Endpoint Detection and Response can go a long way to keeping attackers out.
In addition, hackers are constantly looking for vulnerabilities in the software we rely on to run our businesses. All those software updates may be annoying to deal with, but they often contain important security features that “patch up” known vulnerabilities. At the end of the day, if you’re using out of date software, you’re at an increased risk for attack.
Administrative privilege limits
Setting limits on administrative and access privileges is another important way to protect your data. Every employee should only have access to the systems and information they need to preform their work. Too many businesses give employees more access than they need. If a hacker gains access to one of your employee’s accounts and there aren’t access limits set, then the hackers can move freely through your systems, changing settings and accessing sensitive data
It’s important to keep different elements of your network separate from each other so you can control how information flows from one to the others. Similar to privilege limitations, this will help ensure that anyone who breaks into your systems can’t then use that access to move around your networks.
Security awareness training
Phishing and social engineering attacks are common ways attackers gain access to your systems and install ransomware. Unfortunately, phishing attacks are not something you can fix with a piece of software. Instead, its essential employees are provided with the training they need to spot and report any phish they come across. Sometimes it only takes one wrong click for the bad guys to worm their way in.
Offline backups and periodic testing
This is a big one. If you suffer a ransomware attack, having a backup of your systems may enable you to get you back up and running without having to pay or start over from scratch. However, when making backups it’s important to takes a few steps to ensure you can rely on them. For one, backups need to be stored offline in order to prevent hackers from gaining access to them as well. Second, it’s necessary to periodically test your backups to ensure they are working currently. You don’t want to be in the position of needing your backup only to find the whole thing is corrupted!
Finally, requiring multi-factor authentication can go a long way to prevent an attack. If an employee’s login credentials are stolen, MFA adds an additional layer of protection that may prevent the bad guys from getting into your systems.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.