We asked a panel of cybersecurity experts and business leaders, "what is the most important thing SMBs overlook when it comes to ransomware?" Read their responses to find out.
Veronica Miller
Veronica Miller is a Cybersecurity Expert at VPNoverview.
"The biggest thing SMBs overlook when it comes to cybersecurity and ransomware is assuming they are not a significant target for hackers"
This assumption is wrong as small businesses offer a smaller level of resistance, making it easier for cybercriminals to attack them.
SMBs often hold on to the status quo they are comfortable with and give justifications like, "Nothing bad has happened before to us or businesses like us." Most small- to mid-size organizations that experience a ransomware attack make it go away quickly and quietly.
Hence, it is imperative to remember that ransomware attacks keep increasing at an alarmingly high growth rate. Avoiding investing against ransomware attacks is equivalent to painting a massive target on the business.
Casey Crane
Casey Crane is a cybersecurity journalist at SectigoStore.com.
"When it comes to ransomware prevention, one of the most overlooked areas for SMBs is the human factor"
This comes in two forms: human ingenuity on the part of the hackers, and human nature in terms of the target employees.
Cybercriminals are always looking for ways to put a new spin on old tricks. They don't want to fully reinvent the wheel when they know that they can simply make small changes here and there to make it more effective or efficient.
This is why small businesses need to take the time to educate their employees about a variety of cyber threats. While this type of training should include information about the types of threats and how to recognize them, it should also include practical, hands-on training as well through testing.
A few examples of things to teach include:
- Using long and unique passphrases instead of traditional passwords. Even the FBI suggests using passphrases rather than passwords because they're thought to be more secure.
- Recognizing identifying traits that many phishing emails exhibit. These traits include things like using slightly or completely different email addresses that don't match the sender's name or organization, sending unsolicited links or attachments, and using language that elicits a sense of urgency, fear, or curiosity, etc.
- Never relying on instructions provided in an unsolicited email without speaking to the person directly. This is especially true regarding monetary or information transactions, such as invoices or wire transfer requests. Train your employees to reach out to contacts directly via an official phone number to confirm the request – they should never call a phone number provided in a suspicious or unsolicited email.
Your employees are at the center of your business's strong (or weak) cybersecurity defense. Arm them with the real-world knowledge they need to face down these threats and to know how to respond to them. The security of your organization's data and operations counts on it.
Nathan Little
Nathan Little is the Senior Vice President of Digital Forensics and Incident Response at Tetra Defense.
"Most small- to medium-size businesses (and even large enterprises) overlook the evaluation of their backups"
Most backup systems still in place are not designed to recover from ransomware incidents; instead, many are configured to respond to cases of natural disasters. This is crucial considering that backups are also impacted by the malicious encryption event, or even deleted by the threat actors.
For example, if your backups are on your network, or worse, directly attached to your critical systems, they are likely to be impacted by a ransomware incident, and you may not be able to restore them. Even some organizations with multiple sites or with backups stored in multiple locations are susceptible to backup loss if those backups are all stored on the network.
The most common thing we hear when responding to a ransomware incident is, "Well, we had backups, but the attacker deleted (or encrypted) them" or, "Unfortunately, when we went to restore, the backups were not current."
Organizations overlook the importance of a high-quality backup system, backup testing, and a disaster recovery plan. A good rule of thumb is this: If an IT person could delete your backups permanently, they are susceptible to cyberattacks, too. This is because attackers will specifically target backups, compromise IT credentials, and delete or manipulate backups when inside a network to ensure their ransom payment.
Michael Puldy
Michael Puldy is the CEO and founder of Puldy Resiliency Partners, LLC. He has over three decades of technology, information risk management, and operations experience in the aerospace, banking, and computer technology sectors. Michael is passionately focused on ways companies can improve their offensive and defensive posture towards internal and external threats.
"While the majority of the focus on ransomware is protection and education, I believe the most important element SMBs miss is the development and testing of a ransomware response plan..."
How does a company perform in case of a ransomware attack? What would they do? How is a ransomware crisis different from a natural disaster or internal threat, such as disruptive actions from a disgruntled employee?
Once a company is the casualty of a ransomware attack, they have two options:
- Pay the ransom
- Ignore the threat and recover from backups
Neither option is easy, and each has its own set of challenges and problems. For example:
- If a company pays the ransom, how confident are they can even deploy the antidote and recover all their data?
- Will the attacker come back for more, and have they stolen client data that they can hold hostage for later or maybe post on the dark web?
- Does the SMB know how bitcoin works?
- If they pay, will the SMB violate government sanctions and have to face the FBI and an investigation led by the Department of Justice?
On the flip side, recovering data from backups is not easy, especially if a company has never done a full laptop, server, or multiple server recovery. Some considerations and questions to keep in mind with recovering data from backups include:
- The fact that depending on how the backups are maintained, the process could take days or weeks.
- If the SMB depends on an IT service provider, what does the contract look like with the IT service provider requiring the provider to recover the SMB's business?
- How current are the backups?
- Are the backups encrypted from the ransomware attack and no longer valid?
One company I worked with told the hackers to pound sand, but then discovered the IT service provider wasn't taking regular backups. Working with an attorney, they found out their contract with the IT service provider wasn’t sufficient for the attacked company to take any legal action against the IT service provider. Lots of bad news for them. In the end, the SMB was forced to pay the ransom.
Without a plan, practice, and diligence when it comes to reviewing business continuity processes, a ransomware situation is one of the worst business crises an SMB can experience.
Gabe Turner
Gabe Turner is the chief editor at the digital security website Security.org.
"The most important thing that small businesses overlook when it comes to ransomware is antivirus software"
Antivirus software includes large databases of all the most current malware and ransomware, constantly being updated. This software scans your business devices for suspicious behaviors, and if they find any files with ransomware, it quarantines them in its folder so that they can't harm your devices.
Many small businesses rely on the digital security tools built into their computer or browser, but these can be insufficient. So I recommend buying a separate antivirus software for all of your employee's devices.
Arturo Romero
Arturo joined Scantron in early 2019 as a senior security engineer. Previously, he mastered the art of proactive security at PayPal as an Information Security Engineer level 3. Arturo also served in the Nebraska National Guard as a Defensive Cybersecurity Operator. He takes a keen interest in validating and testing the integrity of security functions and mitigations in high-stakes operational environments. His stance ensures that clients catch and manage shortcomings in security measures before malicious actors can take advantage of them.
"The most important thing SMBs overlook is the importance of understanding how or where ransomware can come from, as well as how to more readily identify it"
Most organizations are under the impression that ransomware only comes from email, which for most is indeed the case. However, there are other ways ransomware attacks are delivered that many organizations that have fallen victim to them weren't even aware of. For example, insecure protocols, drive-by downloads, and USB and removable media, as well as from social media.
One of the keys to successfully responding to these ransomware attacks is to properly train staff to identify when their system has been compromised to stop it from spreading further into the organization. Simple things such as screenshot examples, or even identifying some of the ways they are delivered, go a long way to help curb the spread of ransomware into your organization.
Dustin Bolander
Dustin Bolander is the CIO of Clear Guidance Partners.
"One of the recurring issues that we see with ransomware is that the IT team rushes to do a restore from a backup"
Consequently, they fail to identify/remove the initial attack or foothold(s) leading to reinfection. This is compounded by all of the unqualified IT providers claiming to be incident response providers.
We've been getting a lot of calls lately for help. The first thing we tell companies is to not touch anything and to call their insurance provider so a proper IR group can handle things.
The other issue is that companies are not testing or preparing for disaster recovery. We recently assisted one law firm whose managed IT provider took almost a week to restore core services such as email. There was a DR site setup but the MSP was not monitoring it at all, so it was unusable when disaster struck.
Jeremy Wirtz
Jeremy Wirtz is a Senior Technical Engineer and IT consultant at Guardian Computer, an IT services and support company headquartered in New Orleans. He is experienced in network engineering and infrastructure, Windows Server administration, and end-user desktop support. He supports all aspects of IT infrastructure and maintains numerous Cisco certifications.
"The most important things SMBs overlook when it comes to ransomware is that your employees are your first line of defense"
Ransomware, an advanced digital extortion attack, is among the most common and damaging cyberattacks that threaten small and midsize businesses today. Human error is one of the top causes of cyberattacks against businesses. From falling for a phishing email to failing to log out of important accounts, anyone from an entry-level employee to a leadership executive at your business could start a chain of events that leads to a ransomware attack.
This is why regular, company-wide cybersecurity awareness training and drills for employees is vital to the safety of your organization. If your company lacks an IT department or the resources necessary to conduct training in-house, there are many third-party services that provide thorough cybersecurity training for employees. Training should include how to spot phishing emails and fake websites, the early signs of a cyberattack, as well as guidance about reporting potential attacks, developing digital emergency procedures, and implementing cybersecurity protocols for everyday operations.
By integrating cybersecurity training into your new hire training and professional development procedures, you're adding the most important layer of protection against ransomware that your SMB has.
Pieter VanIperen
Pieter VanIperen, Managing Partner of PWV Consultants, is a 20-year veteran software architect and security expert who is an industry authority and influencer. He provides thought leadership and execution to develop widely adopted processes, methodologies, and technologies that are at the forefront of digital innovation and software development.
"The most important thing SMBs overlook when it comes to ransomware is having the security in place initially to stop the attack before it starts"
Many SMBs don't have proper information security protocols in place. This happens for a variety of reasons, but it is mostly due to a lack of knowledge and a lack of budget. It tends to be something they think they can get to 'later,' only later never comes.
This leads to the other overlooked aspect by SMBs: incident response. If there's no security in place, then there is likely no incident response plan in place. Without an incident response plan, employees will have no idea what to do when their systems are suddenly locked by ransomware.
Who do they call? Where do they make a report? Are there backup systems and processes in place? These are all important questions that need to be answered. Without cybersecurity and an incident response plan, any SMB hit by ransomware is not going to fare well.
The last resort is to have backups, but if they aren't configured correctly and aren't isolated, they may get infected with ransomware themselves. Regardless, at the very minimum, you should have backups.
Israel Gaudette
Israel Gaudette is the founder of Link Tracker Pro, one of Canada's fastest-growing SaaS companies.
"The most important thing SMBs overlook is options other than paying the ransom"
Paying the ransom is the path that most business owners choose. However, when it comes to ransomware, you should avoid paying any amount of money at all costs. It's the most important thing business owners always overlook.
Paying the ransom does not give you any guarantee of regaining access to your data. And besides, ransomware is a criminal offense. So the moment you're attacked, report it directly to the appropriate law enforcement agency. Then, start mitigating the attack by looking for a decryptor that can get your files back. If you can't find one, it's time to make some calls to a trusted cybersecurity vendor and ask for professional assistance. And if worse comes to worse, a backup comes in very handy and is your best shot in getting all your data back.
When it comes to cybersecurity threats, ransomware has already made its name by costing businesses billions. If you don't know how to combat this threat, you'll definitely pay the price. But with proper knowledge and preventive tactics, it'll be easily avoided. The key here is to know the 'hows' and 'whats.' Know how it gets you infected and what to do when you're already infected. With this knowledge, you won't need to pay a single dime anymore and can be worry-free about data loss.
Jeff Walker
Jeff Walker is the head of Best VPN Canada, one of the biggest internet privacy websites in Canada.
"A misconception every business owner has continuously overlooked is thinking that a ransomware attack will never happen to them"
If you're one of those who think, "We're not worth a hacker's effort", you need to let go of that mindset and start protecting your business. Your data might be not of great value to the hackers, but without a doubt, it's very valuable to you. You have a duty to protect not only your company's data, but also your employees' welfare as well. Hackers are always eyeing to attack the unprepared, and you could be the next one on their list.
Create a culture of security. Deploy a paid antivirus that has real-time scanning and automatic updates. On your PCs, install all the latest updates for all your applications. Use administrator accounts only when necessary instead of using them daily, and always remember to let everyone stay watchful and proactive.
When it comes to ransomware, prevention is better than cure. The first step is to educate your employees about the basics. Relentlessly train them to identify common signs of phishing and cyberattacks. After all, all of your cybersecurity policies in place are useless if your employees are not empowered.
Mike Bran
Mike Bran is the owner of Shopping Enthusiast and the CEO of the startup ThrillAppeal.
"Attacker dwell time is the most important thing that SMBs overlook when it comes to ransomware"
Most businesses focus on how the threat actors worm their way into a network, which is mostly through phishing. However, while focusing on this aspect, they miss out on the length of time an interloper remains undetected inside the network: attacker dwell time.
Initially, the ransomware attacks were of the "smash-and-grab" nature, under which the deployed malicious file would damage as many files and machines as possible in a short period of time.
However, quite recently, the trend has changed. The ransomware operators now stick around, lurking in the network and waiting to come across higher-value assets that they can compromise. The average dwell time for ransomware is 43 days. This is something that businesses are overlooking and need to focus on.
Joseph Ferdinando
Joseph Ferdinando is the founder of HotHeadTech.com, a family-owned team of business professionals who offer small- to mid-sized companies IT support, VoIP phone services, managed support, disaster recovery solutions, and more.
"SMBs often overlook the rise in ransomware being delivered alongside phishing emails"
Cyber attackers normally send an attachment, such as, "URGENT ACCOUNT INFO™ with a .PDF, .zip, or .rar file extension, which slips by the unsuspecting victim and releases the payload. This attack often encrypts the whole hard disk or your documents and requires a bitcoin payment to unlock it. Some of the less damaging forms simply block your access to your computer, but do not encrypt it. Luckily, these groups actually do unlock the data if you make the payment they have demanded so that future victims are more likely to pay as well.
Almi Dumi
Almi Dumi has been with eMazzanti for 12 years, previously serving as Senior Network Architect and Team Lead. He holds numerous certifications, including ITIL IT Service Management, PCI-QIR, WatchGuard Certified System Professional, Lean Six Sigma, and several Microsoft Professional certifications.
"With a focus on cybersecurity technology, SMBs overlook the fact that ransomware works because of effective social engineering, such as phishing schemes"
More effective cybersecurity training can prevent it. The best defense is to educate employees on the danger of opening unrecognized email attachments.
Humans are the weakest link in cybersecurity. In addition to implementing a commercial-grade firewall and other basic network security measures, business owners should have a security expert come in to train employees and evaluate weaknesses. The checker should not be the doer. Small businesses could do a lot to strengthen their cybersecurity posture by building a security-first mindset within the organization.
Colton De Vos
Colton De Vos is a marketing specialist at Resolute Technology Solutions, a full-service IT company in Winnipeg, MB. He specializes in writing about how businesses can solve their unique challenges with specific technology solutions.
"When working with SMB companies on cybersecurity, the thing businesses most often overlook is the human element"
With ransomware, even if you have a firewall, antivirus, and regular backups in place, your data can still become compromised. Typically, this can happen if an employee accidentally downloads ransomware through a malicious link or attachment and installs it on their system. In such cases, the only ways to decrypt your data are to hope your antivirus defenses can remove it, revert to an unaffected backup, or work with the hackers.
The best way to combat employees accidentally installing ransomware is through security awareness training. There are many platforms businesses can leverage to train their team to identify, avoid, and respond to the full spectrum of cyber threats, including ransomware. These programs typically come with learning modules you can assign to your team and update with new material as emerging cyber threats enter the market and become a threat to businesses.
The best way to reduce the risk of ransomware is to approach security in layers. Secure your technology, processes, and people for a well-rounded security program.
Alexandra Zelenko
Alexandra Zelenko is a senior marketing and technical writer at DDI Development, a company that delivers web and mobile digital solutions for a wide range of business verticals.
"The most important thing SMBs overlook when it comes to ransomware is the shift to remote working..."
In light of the COVID-19 pandemic, the move to remote working has resulted in more sophisticated ransomware attacks. While your organization is adjusting to the new normal of working from home, remote employees may use personal devices for work, access the network over an insecure connection, or work on sensitive information via unencrypted collaboration channels.
With that in mind, it's imperative to implement network security software. Not only will it automatically monitor the network and its files for threats, but your administrators will be also alerted if a ransomware attack tries to encrypt the files over the network.
You also need to update your software and operating systems whenever they are available. Only by knowing how to fight back if your company is attacked by ransomware can you prevent your business from ransomware attacks.
