You would expect the prevalence of high-profile ransomware attacks reported by the mainstream media to raise alarm bells in the ranks of small businesses.
According to a small business survey conducted by CNBC and Momentive, that doesn’t appear to be the case. CNBC reports that as many as 80% of small business owners are not concerned about the risk of a cyberattack.
The overconfidence is due to one of several reasons; their cybersecurity strategy significantly reduces the risk of a data breach; they have taken out cybersecurity insurance, or they assume their business is not big enough for hackers to bother.
If you fall into the latter category, think again. In 2024, 42% of small businesses experienced a cyberattack. There’s a similar story in the UK. On average, 65,000 cyberattacks targeting SME’s have been captured in a 24-hour period.
The preferred method for cybercriminals is reportedly ransomware. Hackers release malware onto a device such as a laptop, corrupt the files and lock the victim out of the network. Targets have to pay a fee to recover access to their data.
Is your business at risk of a ransomware attack?
It is estimated that the average payout for a ransomware attack is somewhere in the region of $170,000. However, that figure includes attacks on fortune 500 companies that forked out millions.
Information like this is what makes small businesses owners believe their business is too small for hackers to bother with. But that is not the case.
The official data shows that businesses of all sizes are potentially at risk of a ransomware attack. A Sophos survey reveals the most common ransomware payment is £10,000 – an amount that most SMEs would be willing to pay.
Remote workers have also attracted the attention of hackers. Home networks and personal devices are an easier target – particular if the end user is ignorant of the latest strategies deployed by malicious actors.
Yet despite the growing threat of suffering a data breach, should small business owners be worried about a ransomware attack?
Well, yes and no
From Secret Services To Dark Web Services
If you regularly follow the ransomware attacks that surface in mainstream media, you’ll notice a pattern emerging. The companies that are targeted point the finger of blame at a malicious group that is sponsored by the state of a perceived enemy.
US companies blame China, Russia and North Korea, whilst those countries accuse the US or Israel. Strip away the meat of the story and you find the bones; malware is programmed by crack-hackers at the top of their game and is being paid by the malevolent secret service agencies to create malicious code.
It has to be said that corporate espionage is a thing. It doesn’t affect most people or businesses though; at least not until sensitive data is stolen and used by cybercriminals for nefarious means.
The more disturbing fact is that malicious code programmed by state-sponsored hackers is released into the community of cybercriminals. Subsequently, anyone that goes online to use a digital device is a potential victim.
Hacking tools are unnervingly easy to get hold of. Reports in industry magazines reveal that Cybercrime as a Service (CaaS) has lowered the technical barriers involved in cybercrime. For as little as $1000 a month, anyone can get hold of these tools on the dark web.
Overly Competitive Competitors
On a small business level, it’s not beyond the realms of possibility for rival businesses to invest in CaaS to use against their competitors. When small businesses suffer a data breach they rarely recover.
One reason for that is down to data privacy laws. Companies that fall foul to a data breach are obligated to report the loss to affected parties. The loss of reputation a small business suffers after a data breach can put them out of business.
Computer monitoring and stealth spy software are used to infiltrate competitor networks, gather intelligence and scrape data from networks. The scandal around Israeli’s controversial Pegasus spyware is evidence anybody’s digital device can be hacked. Fortunately, by the time the vast majority of malicious code falls into the hands of average hackers, anti-virus software is able to detect and quarantine harmful viruses.
Providing small businesses have anti-malware software installed on their computers and smartphones of all your employees, the risk of suffering a data breach is significantly reduced. Businesses that fail to take basic precautions, however, leave an open invitation for hackers to infiltrate your network.
The important thing to note here is that the average hacker is not particular about who they steal from. Targets that are easy to exploit are inevitably the preferred option. Small business owners owe it to themselves, the staff, the customers and their supply chain partners to tighten up their IT Security.
Protect Your IT Network
Tech giants have started to built-in IT security defenses into their devices and software. Whilst this layer of defense offers users some protection against cybercrime, it has minimal impact.
Installing an anti-malware package provides a second layer of protection, but there are other strategies you should be deployed to create a defensive wall that is difficult to penetrate.
Microsoft recently warned businesses not to ignore multi-factor authentication (MFA) – despite hackers finding a way to intercept SMS messages. The tech company insists that 99% of their customers that suffer a data breach are not using MFA.
MFA can be an effective line of defense, but it’s not foolproof. As IT security experts Micro Pro point out in a recent commentary, the failure of standard MFA practice is pushing us closer towards biometric security logins.
IT support services also recommend investing in patch management. This is a service that ensures you are not left exposed to malicious actors because a vulnerable gateway found in software has not been closed on one of your employees’ devices.
To answer the title question, yes, small businesses should be worried about ransomware. But if you have a sufficient number of cybersecurity layers protecting your business network, the likelihood of falling victim to a data breach is greatly reduced.