By now, you’ve almost certainly heard about ransomware — a form of cyber-attack in which hackers encrypt systems, steal data then demand a ransom payment to end the attack. While ransomware has been around for a while now, attackers have started setting their sights on bigger and bigger targets, gaining international media attention in the process.
But the reason businesses should be paying attention to ransomware is not because big corporations are shelling out millions of dollars in ransom payments. Instead, when you look at the bigger picture, small businesses are the ones who will continue to bear the brunt of these attacks. According to the Secretary of Homeland Security Alejandro Mayorkas, there has been a 300% increase in ransomware attacks in the past year and 50-70% of those attacks were directed against small and medium sized businesses. And while a cyberattack is tough for any businesses to recover from, the threat ransomware poses to small businesses is existential, with 60% of small businesses failing within 6 months of a cyber-attack.
Because the threat is so big and the stakes are so high, governing ransomware risk needs to be a top priority for small businesses. And in order to protect your organization, there are two vital areas that need to be focused on: systems controls and organizational culture.
1. Endpoint detection and response
Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops and other devices in order to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today in order to stay on top of potential threats and put a stop to them before they can cause any damage.
2. Hardening your RDP Ports
Remote Desktop protocol is a tool that allows someone to connect to a computer remotely. This can be useful, but more and more ransomware attackers are using RDP ports to gain access to victims’ systems. Organization that do not actively use RDP should therefore consider disabling the feature or limiting to users and devices that are not connected to public internet.
Having a back-up of your systems could allow you to regain access to your data without having to pay the ransom. However, it’s essential to have an effective back up strategy in order to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your back-up. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.
Lastly, using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. At minimum, any user accessing your network should be using MFA. In addition, all users with administrative privileges need to use MFA, whether they are accessing your network remotely or on premise.
Don’t Forget Culture
When it comes to governing ransomware risk, the best way to prevent attacks is to focus on creating a culture that incorporates cyber-secure behaviors into every day practices. However, the biggest issue many organizations face when creating a cybersecure culture is sustaining those behaviors overtime. In order to properly govern ransomware risk, behavior change requires 4 essential elements:
1. Consistent Communication
We get it, cybersecurity can be confusing. And as the threat landscape changes, so do our cybersecurity policies. That’s why it’s so important that business leadership consistently communicate with their employees about the behaviors you want to see.
2. Make it Easy
When thinking about the behaviors you want employees to adopt, it’s vital you make these behaviors as easy as possible to do. Everyone is being pulled in a million different directions at once, so if an employee has to take 10 minutes out of their day to figure out how to report a phish, they aren’t going to follow through. If, however, you provide a simple and easy-to-use process, you’re going to have a much easier time getting employees to adopt new behaviors.
3. Help People feel Successful
People want to feel like the work they are doing is making a difference. If they feel like what they are doing just doesn’t really matter all that much, there isn’t going to be much motivation to continue doing it. That’s why it’s so important to help people feel successful when they follow through on the behaviors you want to see. Providing positive feedback, for example, can go a long way towards creating behavior change. If your employees know their work is being recognized and feel it makes a difference, they will be much more likely to keep it up.
4.Walking the Walk
The above three elements for creating sustained behavior change have one thing in common: you. A leadership team can’t simply talk the talk. Change starts at the top and requires you and your leadership team take an active role ensuring these behaviors become a part of the organizational culture and value structure.
There’s no doubt that ransomware poses a big threat to small businesses, and the best thing you can do govern the risks of attack is focusing on creating a culture in which cybersecurity is valued and acted upon every single day.
Ever since Apple announced new privacy features included in the release of OS 14, Facebook has waged a war against the company, arguing that these new features will adversely effect small businesses and their ability to advertise online. What makes these attacks so “laughable” is not just Facebook’s disingenuous posturing as the protector of small businesses, but that their campaign against Apple suggests privacy and business are fundamentally opposed to each other. This is just plain wrong. We’ve said it before and we’ll say is again: Privacy is good for business.
In June, Apple announced that their new mobile operating system, OS 14, would include a feature called “AppTrackingTransparency” that requires apps to seek permission from users before tracking activity between others apps and websites. This feature is a big step towards prioritizing user control of data and the right to privacy. However, in the months following Apple’s announcement, Facebook has waged a campaign against Apple and their new privacy feature. In a blog post earlier this month, Faceboook claims that “Apple’s policy will make it much harder for small businesses to reach their target audience, which will limit their growth and their ability to compete with big companies.”
And Facebook didn’t stop there. They even took out full-page ads in the New York Times, Wall Street Journal and Washington Post to make their point.
Given the fact that Facebook is currently being sued by more than 40 states for antitrust violations, there is some pretty heavy irony in the company’s stance as the protector of small business. Yet, this is only scratches the surface of what Facebook gets wrong in their attacks against Apple’s privacy features.
While targeted online adverting has been heralded as a more effective way for business to reach new audiences and start turning a profit, the groups that benefit the most from these highly-targeted ad practices are in reality gigantic data brokers. In response to Facebook’s attacks, Apple released a letter, saying that “the current data arms race primarily benefits big businesses with big data sets.”
The privacy advocacy non-profit, Electronic Frontier Foundation, reenforced Apple’s point and called Facebook’s claims “laughable.” Start ups and small business, used to be able to support themselves by running ads on their website or app. Now, however, nearly the entire online advertising ecosystem is controlled by companies like Facebook and Google, who not only distribute ads across platforms and services, but also collect, analyze and sell the data gained through these ads. Because these companies have a strangle hold on the market, they also rake in the majority of the profits. A study by The Association of National Advertisers found that publishers only get back between 30 and 40 cents of every dollar spent on ads. The rest, the EFF says, “goes to third-party data brokers [like Facebook and Google] who keep the lights on by exploiting your information, and not to small businesses trying to work within a broken system to reach their customers.”
Because tech giants such as Facebook have overwhelming control on online advertising practices, small businesses that want to run ads have no choice but to use highly-invasive targeting methods that end up benefitting Facebook more than these small businesses. Facebook’s claim that their crusade against Apple’s new privacy features is meant to help small businesses just simply doesn’t hold water. Instead, Facebook has a vested interest in maintaining the idea that privacy and business are fundamentally opposed to one another because that position suits their business model.
At the end of the day, the problem facing small business is not about privacy. The problem is the fundamental imbalance between a handful of gigantic tech companies and everyone else. The move by Apple to ensure all apps are playing by the same rules and protecting the privacy of their users is a good step towards leveling the playing field and thereby actually helping small business grow.
This also shows the potential benefits of a federal, baseline privacy regulation. Currently, U.S. privacy regulations are enacted and enforced on the state level, which, while a step in the right direction, can end up staggering business growth as organizations attempt to navigate various regulations with different levels of requirements. In fact, last year CEOs sent a letter to congress urging the government to put in place federal privacy regulations, saying that “as the regulatory landscape becomes increasingly fragmented and more complex, U.S. innovation and global competitiveness in the digital economy are threatened” and that “innovation thrives under clearly defined and consistently applied rules.”
Lastly, we recently wrote about how consumers are more willing to pay more for services that don’t collect excessive amounts of data on their users.This suggests that surveillance advertising and predatory tracking do not build customers, they build transactions. Apple’s new privacy features open up a space for business to use privacy-by-design principles in their advertising and services, providing a channel for those customers that place a value on their privacy.
Privacy is not bad for business, it’s only bad for business models like Facebook’s. By leveling the playing field and providing a space for new, privacy-minded business models to proliferate, we may start to see more organizations realize that privacy and business are actually quite compatible.
Business ID theft is not a new problem. Dun and Bradstreet, a data analytics company that handles credit checks for many businesses, reported a 100% increase in ID theft against businesses in 2019. This year, however, the problem has grown out of control, with a stunning 258% spike in business identity theft since the beginning of 2020. This is in large part directly related to the COVID-19 pandemic, because scammers will steal business information to illegally gain access to relief funds and loans.
According to reports, there are groups of cyber scammers that target small businesses for ID theft throughout the United States. The groups will start by looking up business records through the Secretary of State website, identity the officers and owners connect to the company, then find corresponding tax ID and social security numbers on the dark web. These groups will then forge official documents with this information and submit them to the Secretary of State with a mailing address that they control. Traditionally, they will use these documents to update profiles on credit monitoring sites, like Dun and Bradstreet, and apply for credit lines with companies like Staples, Home Depot and Office Depot. Now, however, these groups have switched their tactics and are carrying out business ID thefts for COVID-related federal assistance, such as unemployment payments or relief loans for small businesses.
As we’ve wrote about before, hackers and scammers will often take advantage if times of crisis, confusion, and uncertainty in order to make money or seed further chaos. Given the dramatic rise of business ID theft throughout the COVID pandemic, small businesses should take steps to protect themself against this threat. The most effective way to detect and prevent ID theft is to regularly monitor and update your business information. This includes keeping an eye on your financial records and credit lines to spot potential fraudulent activity, as well as checking your business records with the federal and state government. If you spot a any changes your records that you don’t recognize, it’s a likely sign someone is in the process of stealing your business’ identity.
It can be hard to regularly monitor your records and stay vigilant when you are trying to keep your business afloat throughout the pandemic, but this is exactly what scammers are hoping for. You don’t need to be checking your credit report every single day, but it is essential to keep as close an eye as possible on your records to ensure you and your business are protected from fraud.
In October, the FBI warned that ransomware attacks are becoming “more targeted, sophisticated, and costly.” Now, a new survey shows that small business are baring the brunt of these attacks, with 46% reporting that they have been targeted.
Ransomware is a form of cyber attack in which the attacker steals or encrypts the victim’s data and demands payment in order to regain access to that data. The new survey highlights two issues that small businesses in particular at a high risk for further attacks and even irreparable data loss.
1. No Data Protection in Place
Perhaps the most troubling trend the survey found is that 20% of small business do not have data protection systems in place. Using solutions such as data backup or disaster recover tools are essential for a variety of potential issues, but especially for ransomware. According to Russell P. Reeder, the CEO of the company behind survey, “every modern company depends on data and operational uptime for its very survival…Data protection and operational uptime have never been more important than during the unprecedented times we are currently facing.”
With a strong backup system that is tested regularly, small businesses faced with a ransomware attack are in better position to recover their data without succumbing to the demands of the attackers. Without proper data protection systems in place, however, businesses are left in the hands of the bad guy, with no other means to recover their data. And the truth is, the more small businesses that leave themselves unprotected, the more they will be targeted. Ransomware attackers are looking for easy money, and are therefore far more likely to target those who leave themselves the most vulnerable.
2. To Pay or Not to Pay
The survey also found that a whooping 73% of small businesses targeted by ransomware opted to pay the ransom in order to get their data back. One reason for this is that, if a business does not have proper data protection in place, the cost to restore data may end up being more costly than simply paying the bad guys. However, this solution is misguided on a number of fronts.
First of all, there is no guarantee that paying the ransom will result in regaining all or even any of the data stolen. The survey found that 17% of those who paid the ransom did not recover all of their data. Secondly, paying the ransom is a short-term solution to a long-term problem. Paying the ransom signals to attackers that they can squeeze money out of that business in the future. Reporting by ProPublica also found ransomware payments were substantially lower than they are now, and that the number of businesses willing to cough up the dough has led to an increase in the price of the ransom.
Prevent and Defend
In order to defend against ransomware attacks, small businesses should first and foremost ensure they have strong data protection solutions in place. However, this is only one piece of the puzzle. Taking measures such as awareness training can help prevent these attacks in the first place. Ransomware attackers often gain access to systems through malware installed via phishing campaigns. If you and your staff are properly trained to spot deceptive practices, you already have a leg up on the bad guys. Attackers also hope that their victims will panic and make rash decisions. There is no question that falling victim to ransomware is scary stuff, but taking a few breaths, reviewing your options, and responding rationally might help keep your money and data in your hands and prevent further attacks from taking place in the future.