It is a relatively simple and low-cost attack tool that can be easily deployed against SMBs. “Ransomware as a service (RaaS) can be purchased or implemented simply, with little technical knowledge,” Milbourne tells CSO. As a result, SMEs are not setting aside sufficient resources, leaving them poorly protected. “Rethinking how SMEs think about Data ransom and implementing policies and technology to better protect yourself is essential to avoid being victims.”
If they suffer an attack, businesses should turn to expert support to help manage the situation, especially considering that making a payment is in no way a guarantee of data recovery.
There are some sobering statistics about the impact of an attack. American small businesses paid more than $16,000 in bailouts last year, according to the Hiscox Cyber Readiness Report 2023. “Ransomware is costing small businesses a lot,” said Christopher Hojnowski, vice president and product head of technology and cyber at insurers Hiscox, which works with more than 600,000 small businesses across the United States.
Only half of the companies surveyed that paid a ransom ended up recovering their data, while the other half had to rebuild their systems. Additionally, a surprising 27% were attacked again and another 27% were asked for more money, according to the survey. “It is certainly not advisable to pay the ransom,” says Hojnowski.
3. See cybersecurity only as a technological problem
According to Sage, cybersecurity cannot be addressed with technology alone and is, in many ways, a human problem. “Technology enables attacks, technology makes it easier to prevent attacks, technology helps clean up after an attack, but that technology requires a knowledgeable human being to be effective, at least for now,” she says.
This also fuels other problems, which are lack of budget and lack of responsibility dedicated to cybersecurity. “These are significant challenges for SMEs, leaving them without guidance on compliance frameworks and clear direction, and dependent on supplier support,” says Iqbal.
Iqbal recommends that SMEs always look to government resources for guidelines and best practices and to at least start with the basic recommended protections. In the United States, for example, the Small Business Administration and the Federal Communications Commission Both have information and resources, while the UK National Cyber Security Center has orientation and Global Cyber Alliance (GCA) also has a toolkit for small businesses. He The Australian Signals Directorate also has a guide for small businesses..
Sage adds that since most companies use Google Workspace or Microsoft Office 365, the respective knowledge bases are a wealth of information. Outside of these platforms, look for local sources of guidance. “There are also local community colleges, city and county small business centers, or economic development departments, and state commerce departments should also be able to connect you with cybersecurity resources,” Sage tells CSO.
4. Not using good cyber hygiene
Adopting good cyber hygiene habits should be a no-brainer, although it can be a hit and miss. For example, allow the use of weak passwords It is something very common, according to Iqbal. It also found cases where the default password for logins was not changed or all firewall passwords were changed to a single password and there is no separate administrative password. “The administrator account is the most lucrative account that threat actors seek to compromise. All it takes is one commitment and then the keys to the kingdom are open to all potential threat actors,” he says.
Backups are widely deployed, but SMBs often overlook the importance of backup testing. If the company suffers an attack and the backup fails, it can be catastrophic. “What we want is to be able to recover and mitigate the damage from a threat attack and that means having a reliable backup that has been verified to ensure that it is not corrupted or has other problems,” Iqbal says.