Small businesses are under threat from a persistent menace in the form of ransomware. The ransomware threat is so prevalent it was recently added to Merriam-Webster’s online dictionary. Its ability to creep through the business ecosystem and quickly strangle productivity is causing huge issues for the very enterprises many rely on to put dinner on their table.
Of course, ransomware is a tricky beast, but much of the problem seems to lie with SMEs themselves: a lack of education, knowledge and a feeling of helplessness. This epidemic was laid bare in our Second Annual State of Ransomware Report with Osterman Research which showed this type of cyber-crime appears to be thriving here in the UK. This is due to a willingness by small to medium businesses to pay out when their data is compromised.
Of the SMEs we surveyed, 62 per cent of UK businesses said they would consider paying a ransom. This is compared to 84 per cent of French businesses which said they wouldn’t.
Given these findings, it’s safe to say hackers may be incited to target British businesses specifically, as they can expect ransom demands being paid more regularly. To make matters worse, compared to other geographies, the UK lacks the most confidence in their abilities to fight ransomware: almost 20 per cent of businesses have little or no confidence that they could stop attacks, compared to a global average of 10.7 per cent.
An actual ‘attack’ is just the beginning
What is important to understand is that the scourge of ransomware does not start and end with data simply being seized and a ransom demanded. In fact, the time spent trying to get systems back online and the consequent revenue lost can be a source of much company anguish. Our report details that of the businesses affected by ransomware in the UK, many organisations were left stranded for up to 100 hours, completely unable to operate and, in turn, service clients or run products.
Unsurprisingly, this is something that few businesses could afford. Adding insult to injury, British businesses were found to be the worst compared to the rest of the world at identifying the source of ransomware, which may explain why some were left inoperable for so long.
These are issues that should weigh on companies of all sizes, yet SMEs should be particularly alarmed, as cash flow is inevitably going to be more of a concern. A notoriously unpredictable element of running a business, a lack of cash in the bank poses various challenges to companies still in their infancy. Often, this can result in erratic business processes, making it difficult to forecast monthly sales and pre-empt losses.
In the case of a ransomware attack the cost of downtime can be lethal for an SME, which may not be able to withstand an extended period of ceased trading.
Indeed, in the UK, only three per cent of organisations described their downtime from ransomware infections as ‘minimal’ (lasting up to an hour), with 25 per cent saying that it lasted between one and eight hours. Most alarmingly, however, over 70 per cent reported that downtime lasted for more than nine hours. Concurrently, only 13 per cent of ransom demands in the UK asked for more than $10,000, so it’s reasonable to conclude that downtime proved the costlier consequence of a ransomware attack.
On top of this, shadow IT in the form of Bring-Your-Own-Device (BYOD) is often more prevalent within SMEs, potentially making a company more susceptible to ransomware attacks. This is because the practice often encompasses the use of applications by employees without the knowledge or approval of the technology team. This often means they are not in line with a company’s requirements for data management, security, and compliance.
Because of this, something as simple as a phishing scam opened on a personal email account, can bring a company’s entire network down.
Protection against cyber threats must be a priority
So, what’s the solution? The Chartered Institute of IT’s post-mortem report into the WannaCry attack concluded that a lack of accountability and investment in cyber-security was at the root of the problem. Specifically, it said that although hospital IT teams did their best with the limited resources they had available, they lacked access to ‘trained, registered and accountable cyber-security professionals with the power to assure hospital boards that computer systems were fit for purpose’.
In order to adequately protect against ransomware, SMEs must adopt a layered approach to security, employing both an anti-virus for traditional threats and anti-malware for the more advanced. What’s more, all staff members must understand the gravity of the threat posed by outdated software.
That guidance applies equally to smaller-scale organisations. Systems have to be fit for purpose – as do the individuals responsible for it. That requires clearly understood chains of accountability, an educated workforce that is alert to the threat posed by outdated software, bad internet habits and the introduction of personal devices into the corporate IT estate, and clearly defined responsibilities from senior management down.
It also requires ensuring that the best technology is in place, capable of helping to protect the organisation from a cocktail of possible attack vectors. This means having a robust and holistic security posture that covers anti-virus solutions for traditional threats, anti-malware for the more advanced attacks, and anti-exploit software to identify and plug the holes in standard enterprise software (Internet Explorer being the obvious example).
It is also worth considering why UK SMEs have such little confidence in their abilities to fight ransomware. It’s not clear exactly why UK businesses are the most likely to pay ransom demands – but the WannaCry attack on the heart of the cherished and highly sensitive NHS certainly created an elevated sense of fear that may not be seen elsewhere.
Organisations like London Digital Security Centre which have been set up to advise organisations and promote awareness are good first steps. But the real answer will lie with business owners themselves.
They must ensure they are properly protected, and understand that when a cyber-attack starts, it is exactly the same as being burgled. They must ensure their businesses are ringfenced and guarded at all times to ensure they are not hit hard and ultimately suffer as a result.
Marcin Kleczynski is CEO and founder of Malwarebytes.