Why small businesses are drawing the ransomware short straw

ransomware

There is no doubt that small businesses have borne the brunt of what 2020 has thrown our way this year. First, there were blows to the bottom line, then there were staff cuts, now they are faced with yet another challenge they could never have predicted – cyber-attacks.

A government-issued report released in July this year reveals that, in Australia, a huge 62 per cent of small businesses have experienced a cybersecurity incident first hand. That means almost two-thirds of Australian businesses have been unnecessarily exposed to a threat that could see them shut up shop for good.

On top of this, lockdown has effectively forced Aussie SMEs into a situation whereby they are expected to work from home, but their security systems are not. Most businesses are designed to be equipped with systems capable of facilitating a 30 per cent remote working capacity. However, these systems were never prepared to jump to 100 per cent, resulting in a scramble that left best practices by the wayside.

Mixing business with leisure

A good work-life balance lies in leaving business at the door when the workday is done. But in recent months, these lines have become blurred. Work laptops have crossed into personal territory, leaving attack vectors wide open, and critical corporate data at risk. So if an individual’s bank or email accounts are hacked, so too could their business-critical data be. In July alone, Australians reported a net loss of $12.3 million from more than 18,500 scams.

This also works the other way. Considering the recent crisis, attackers are finding ways to infiltrate business’ firewalls with pandemic-themed phishing emails claiming to provide corporate health updates, fiscal packages, or emergency benefits. It only takes one misjudged click and your personal data is theirs for the taking.

So, with cybercriminals standing the most to gain from moments of fear and uncertainty, it is crucial that the lines between the personal and the professional become distinguished, both in the interest of the employee and the business.

Keeping your Virtual Private Network private

In the speedy shift to the ‘new normal’, rules that were protecting us from attack were circumvented and channels that would usually have been locked down were opened. Employees started using personal equipment on personal networks, leaving their companies virtually no way to protect their data.

Though enterprise businesses were equipped with the resources and agility required to modify their IT infrastructure, many SMEs were not. Smaller businesses that lacked the finances or knowledge to provide their employees with remote access to the VPN simply went without, which has now led to a rise in ransomware attacks. Business owners likely made the decision to work without the protection of a VPN based on a very short-term window of risk, never expecting their data could go unprotected for months.

In this new normal, we must not be naïve to the fact that ransomware attacks will continue to rise. Whether through emails, texts or social media pages, attack vectors will increase and the attacks themselves will become ever more sophisticated. Instead, we should invest in preventative measures that avoid the need for paying ransoms and ensure business continuity is maintained, even in the worst-case scenario. Offsite and offline backups not only mitigate the effects of ransomware but when combined with the right security suite and employee awareness training, can help prevent the problem altogether.

Just as you would not insure your house after a burglary or wear your mask after being exposed, don’t let your data go unprotected until its already too late.

Mark Bentkower, CISSP Technical Alliances Director – Asia Pacific & Japan, Veeam