Ransomware Myths SMBs Need to Be Familiar With
Ransomware attacks are skyrocketing so quickly alarm bells should be going off at every company. No one is safe, and experts predict 2022 will be a devastating year for ransomware attacks. This should come as no surprise, as attackers these days don’t even need to write their own ransomware code. They can launch an attack using a ransomware as a service (RaaS) platform.
Ransomware attacks have peppered recent headlines. Companies including Acer, CNA Financial, Colonial Pipeline, JBS USA, Kaseya, and a range of universities, health companies, and US government departments have all been victims. While attacks on enterprises make the news, countless SMBs suffer as well. According to Hiscox, over 85% of SMBs are ransomware victims.
Hackers have found that specific techniques produce better results, and as such, there’s been a steady uptick in supply chain and double extortion attacks. Common root causes for attacks include unpatched systems and phishing emails; since SMBs have fewer resources, there’s a higher likelihood that systems will be unpatched and employees won’t be trained to identify phishing emails.
Businesses do what they can or think they should do to protect themselves from possible attacks. They buy tool after tool based on reviews, reports, and articles. While that’s a good-natured attempt, too often, it lures companies into having a false sense of security due. Compounding the issue is that some dangerous myths seem to have permeated the security sector.
Below, we’ll look at the top four myths and break down why they are wrong.
Myth 1: Paying ransomware solves your problem
Let’s say you are ready to shell out the money and pay the ransom, which, according to a Sophos report, averages just over $170,000. Paying up doesn’t equate to getting all of your data back; after all, we are talking about criminals here, and they aren’t an honest bunch. They are all about the Benjamins and have no interest beyond that. The report noted that out of the 32% of businesses that chose to pay, 29% got back half of their data, and only a mere 8% got back all of their data.
Even if your business is among the lucky few to get back all of its data, it’s important to note that the ransom payment itself is often minimal compared to remediating an attack. Sophos calculated that once downtime, operational costs, and lost orders are accounted for, the average recovery costs are ten times the ransom payment, adding another $1.7 million to the $170,000 payout. Additionally, another report found that 80% of companies that paid the demand suffered from a second attack, sometimes from the bad actor they paid and sometimes from a new threat actor.
US-based businesses risk even more if they decide to pay. In 2020, the Treasury Department warned they could sanction any individual or company that paid or facilitated the payment to any sanctioned individual, group, or jurisdiction.
Myth 2: Ransomware attacks are uncommon
We wouldn’t blame you for believing this myth, as surface data suggests it may be true, but by digging a little deeper, it’s easy to debunk. Although just under 2,500 ransomware incidents were reported to the FBI in 2020, the number hardly reflects reality.
In contrast to data breaches that steal personal information, ransomware attacks aren’t legally required to be reported in most cases. Victims are less inclined to report these attacks as they don’t want to damage their reputations, create customer panic, or become the target of public scrutiny.
Other research offers a different, bleaker picture. Statista noted 304 million attacks in 2020, and while that is a significant decrease from the staggering 638 million in 2016, it’s far beyond the FBI numbers. SonicWall’s 2021 mid-year report counted 115.8 million attacks in Q1 and 188.9 million in Q2.
The company’s 2022 Cyber Threat Report, which covered the entire 2021 year, recorded over 600 million ransomware attacks globally, amounting to a 105% year-over-year increase and three times more than 2019. The US and the UK suffered the most, with attacks increasing 98% and 227%, respectively.
Myth 3: Our firewalls, EDRs and EPPs will protect us
Perimeter defenses such as firewalls, Endpoint Protection Platforms (EPP), and Endpoint Detection and Response (EDR) are all valuable tools to have, but they offer no guarantees against ransomware attacks. Businesses are under the impression that the more tools they have, the more protected they are. But, often, all of these solutions give companies a false sense of security and enable the risk of getting blindsided by an attack.
One of the main issues is that most companies use older and outdated versions of solutions, making attacks much easier and more successful. In our opinion, it’s not that you need the shiniest, newest tool available but what you must have are updated versions of each solution, say no more than a few months old but best practices will always point to the latest updated version depending on recent vulnerability patches.
New releases can also include new capabilities, so you’re essentially only deploying a portion of a solution by not updating it regularly. On top of that, many businesses don’t follow recommended guidelines, and the solutions you count on for protection are actually opening you up to greater risks.
Myth 4: My company doesn’t have any valuable data
This misconception is most commonly held by small and medium-sized businesses who believe attackers will always choose to reel in the big fish. Hackers know that SMBs have smaller cybersecurity budgets and smaller teams, making them appealing targets.
You’d be hard-pressed to find any company that didn’t have valuable data. If your company has customers or employees, you have valuable data. Even if you don’t keep customer credit cards on file, you have client information and a wealth of personal data for each employee – names, addresses, email accounts, social security numbers, bank accounts, the list goes on. Plus, you have all of your business’ data, including company banking information and other sensitive data. Considering the upsurge in privacy awareness and its powerful focus in people’s minds, holding anyone’s personal info is a very powerful card.
Even if you don’t believe you have data worth stealing, threat actors think you do. A Coveware report found that in 2020, over 50% of all ransomware attacks were launched against companies with less than 100 employees, and 75% targeted businesses with revenue under $50 million.
How to protect your company from ransomware
Believing you are protected because you have a checklist of tools or blindly thinking you’re too small to be attacked are the exact things that make you an ideal target for attackers. You need to recognize that you are a potential target and payday.
To remain safe, you need processes, plans, and layers of protection that make sense. In light of these debunked myths, take a fresh look at what you have been doing and re-examine your approach and tech stack to see what serves your needs and where the gaps are. The best way to establish cyber resiliency and prevent attacks is to use a two-pronged proactive prevention and recovery planning approach.