Ransomware Is on the Rise: How to Protect Your Business

Preventing ransomware from holding your data and systems hostage requires both technological and HR strategies

I recently visited my local auto repair shop to fix my car but found the owner distraught and not serving customers. Cybercriminals had frozen him out of his system and taken down his phones after infecting his computers with ransomware. The hackers wanted $40,000 to unlock everything, and he had no idea what to do. And not long before that, the same thing happened to my accountant.

There’s a reason these attacks happened, and it’s not good news. Cybercriminals used to almost exclusively go after big companies with deep pockets but are changing their approach. Today, small businesses with fewer than 1,000 employees suffer 82% of these cyberattacks.

Why? Because smaller firms pay less attention to cybersecurity than large corporations and are thus easier targets.

Here’s a review of what ransomware is, the damage it can do, and how preventing or dealing with it requires proactive cybersecurity that includes employee policies and training.

Scoping the threat of ransomware

Ransomware is “a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files until a ransom is paid.” Criminals infect computers and networks through malicious email attachments or links leading to compromised websites and malware downloads.

Most of us have received suspicious emails or texts claiming to be a legitimate party looking to complete an order or warn us about an overdue payment. Many of these messages are from scammers or hackers trying to solicit personal information, but some also attempt to deliver ransomware.

Unfortunately, ransomware is a growing problem. The latest stats from the FBI’s Internet Crime Complaint Center show that “the number of incidents went up 20% in 2020 compared to 2019, but the average amount of money demanded per incident went up about 225%.” The cyber-risk assessment firm NetDiligence reports that the average ransom in 2021 was $751,000, which was “a thirty-fold increase” from 2017.

But as the experience of my auto mechanic shows, criminals will hit up small businesses for less and are now targeting them at a higher rate. Ransomware specialists Coveware have noted a “tactical shift” by criminals, including a “deliberate attempt to extort companies that are large enough to pay a ‘big game’ ransom amount but small enough to keep attack operating costs and resulting media and Law Enforcement attention low.”

Nevertheless, the ransom amounts and disruption are often significant enough to severely hurt smaller firms or even put them out of business entirely.

How businesses can prevent ransomware

Small companies may not have the resources of corporate behemoths, but there are effective steps they can take to protect themselves. And while some items require an investment in cybersecurity technology, many rely on shoring up human risks through training.

1. Use appropriate cybersecurity technology.

This effort includes setting up a firewall and using quality, up-to-date anti-virus and anti-malware software to protect all company computers that access company networks or sensitive data, including smartphones and other mobile devices. Make sure it scans all emails for threats. This guide compares some of the best options on the market.

2. Restrict access to sensitive files and executable programs.

Only the individuals who need to access certain programs and information should have it. Many IT managed service providers (MSPs) that specialize in serving small businesses can help with access control.

3. Always update software and hardware.

Those popup windows telling you to complete a software update may be annoying, but they’re crucial. Ransomware and other forms of malware often exploit hardware and software vulnerabilities that the creators have patched with updates.

Note, however, that some ransomware is delivered via fake emails or false software-update popups. Spotting the emails requires closely scrutinizing them for oddities in the body copy or sender’s address; the latter is usually ‘off’ compared to the legitimate provider’s true URL suffix. Better yet, you can ignore and avoid clicking on such messages altogether.

Fake popups can be harder to spot, but the solution is pretty simple: set software updates to “notify” rather than “automatic.” When a notification is received, go directly to the software provider’s secure site for any updates.

4. Back up, back up, and back up files!

Secure backups are the most critical ransomware protection. Because when a criminal holds data hostage, you can often say, “That’s ok, I already have it somewhere else.” Experts recommend backing up data with the “3-2-1 rule,” which means “having at least 3 copies of your information—one main copy and two backups.” These backups can be external drives kept in a separate location, and the backup process can be automated.

Also, most companies utilize major cloud storage providers that have pretty stringent security. Ensure that your provider offers data recovery features, including “versioning,” which creates “immutable” copies of your data at points in time.

5. Train your people!

The biggest cybersecurity risk is human behavior. A Kaspersky Lab and B2B International study of 5,000 businesses found that 52% “admit employees are their biggest weakness in IT security,” either from malicious acts or mistakes.

Thus, in addition to implementing access control, businesses must train employees to view emails and other messages with suspicion and never click on an unknown link from an unverified sender. They must also know to use virtual private networks (VPNs) that encrypt connections to outside networks, how to create strong passwords, and how to identify and avoid “phishing” and “vishing” scams that solicit sensitive info.

This helpful “Employee Security Awareness Checklist” covers many of the essentials.

Stay vigilant against ransomware and other threats — and be prepared to recover

Prevention is the best medicine when it comes to cybersecurity, but the growing pace of cybercrime means that many businesses will get hit by a successful attack. And the actions you can take after data is held hostage depend on the preparation you’ve conducted before the event.

Nevertheless, cybersecurity experts agree that the first step is isolating infected devices by removing them from the network and assessing the extent of the damage — how far has it spread, and what is locked down?

A panel of industry experts recommends other key steps, including checking the security of backups, communicating with law enforcement, customers, and other affected stakeholders, and, crucially, having and implementing a “cyber incident response plan.” Unfortunately, companies are prepared to different degrees, and some aren’t ready for an attack at all.

In many cases, victims will need to find a qualified, well-reviewed ransomware recovery specialist who can determine the extent of the attack and potentially recover data. (These experts or a business’s managed services provider can also help proactively craft an incident response plan.) But in this sense, preparation remains crucial: every organization should have a well-secured backup system, which can make the difference between ransomware being an annoyance and an existential threat.

Preparation also involves seriously considering cyber insurance, which is becoming a necessity in today’s threat environment. This category of coverage has evolved quickly in the past few years, and policies can vary significantly. But there are a few essentials to choosing an effective policy, including:

• Strongly consider first-party and third-party coverage. First-party policies cover direct “damages or losses” to a business. Third-party “protects customers or partners who might be affected by an attack or breach.”

• Closely evaluate coverage. What each type of insurance covers varies based on the policy and provider, but first-party generally safeguards against costs associated with “recovery of lost data, investigation services and business interruption coverage.” Third-party includes reimbursement for “any damages” to an affected party, “such as legal fees, settlement costs, or liabilities.”

• Understand exclusions and their implications. Given the risk and expense of ransomware and data breaches, most insurance providers are very specific about what is covered and what isn’t in a policy. And they typically won’t deal with businesses that lack adequate cybersecurity — or pay out if a policyholder fails to maintain it. Thus, closely scrutinize any agreement to understand its limitations and your obligations.

Finally, don’t forget the human element of preparation: companies must train their employees to spot threats and practice a culture of cybersecurity. This risk isn’t going away, and being ready for ransomware on other cyberattacks is now part of doing business.

Karp HR Solutions helps businesses master the mix of finance and human resources. Contact us today for a free consultation.