If your organization is hit with a ransomware attack, it’s going to cost you. According to Verizon’s 2023 Data Breach Investigations Report (DBIR), released June 6, the median loss to a ransomware attack has risen to $26,000, and can go as high as $2.25 million. “[T]he overall costs of recovering from a ransomware incident are increasing, even as the ransom amounts are lower. This fact could be suggesting that the overall company size of ransomware victims is trending down,” the DBIR team wrote.
Much of the expense comes from the loss of business and the recovery time. The average ransomware attack has a lifecycle of more than 300 days. That’s nearly a full year that the organization is tied up with discovery and remediation, almost two months longer than other types of cyber incidents. And then there are other costs, like long-term damage to the corporate brand and reputation, as well as loss of institutional knowledge when the employees who are held responsible for the attack are let go.
The costs surrounding a ransomware attack could cripple a small to medium-sized business, and even result in the company shutting down. It doesn’t have to be that way. Even for organizations with a tight IT/security budget and limited security expertise, ransomware protection and recovery boils down to planning ahead.
The best way to avoid the high costs of a ransomware attack is to avoid being a victim, but protection and detection tools also come with a hefty price tag. How much a company will need to pay depends on the number of employees and devices to protect, but even a company as small as 50 people can spend five-figures on ransomware protection . Cyber insurance to protect the business in case of an attack could wind up adding at least $1,500 per $1 million in coverage, depending on the deductible.
Note that getting cyber insurance for ransomware is not easy; many insurance agencies are limiting coverage because of the high payout costs.
Organizations also need to think about the cybersecurity approach they want to take. How cybersecurity approaches ransomware defense has changed over the years, says PJ Kirner, CTO and co-founder of Illumio. Cybersecurity has shifted from perimeter defense (setting up a secure perimeter to keep the bad guys out) to rapid detection (detecting and stopping as quickly as possible), to containment (limiting the amount of damage the attackers can cause once they break in).
Which approach the SMB decides to take determines the type of tools and protective actions that would be necessary. A company deciding to contain malware would make investments to beef up authentication and privilege management in order to validate all users and devices before granting access to any transaction. A company focused on perimeter defense would have very different investments, as that would require firewalls and other methods to keep attackers out of the network.
While there are any number of security systems and tools that an organization can adopt, SMBs should consider the following actions, regardless of their overall security approach.
1. Decrease the Attack Surface
Applying the concept of least-privilege access can close the door against ransomware attacks. The fewer people with access to applications and databases, the lower the chances for cybercriminals to gain that access and get in. Audit your users’ roles to make sure they only have access only to the software and services they need, especially if the software processes sensitive data.
For example, explains Kirner, Remote Desktop Protocol (RDP) is a popular access point for threat actors to get into a Windows system and launch ransomware. But RDP is most often used for IT help desks and troubleshooting. Most employees across the business have no need to have RDP accounts, and yet might have RDP enabled on their machines. Kirner’s advice is that if employees have no reason to have those accounts, access should be revoked.
“Remove all that attack surface from your environment,” says Kirner. “This is something you can do proactively and reduce the impact of ransomware.”
Another thing worth disabling – especially in a Windows environment – is PowerShell. Attackers are increasingly using PowerShell in malware-less attacks. The average user is never going to use it, so it is worth disabling it when setting up the user machine. Similarly, keep track of what accounts have been created on the network or for cloud applications and services. If the employee no longer needs it, or has left the company, remove that account entirely. Cloud access security broker software can help manage and monitor employees’ cloud activity and enforce security policies.
2. Shift the Costs to the Attackers
Another way to make your organization less attractive to bad actors is to make launching an attack more costly for the cybercriminal. Something as simple as restricting access to unnecessary applications shifts the burden to the attackers. If the attacker can’t do much with the application despite having user credentials – maybe they can only view reports but can’t extract data – the attacker has a choice of moving on to easier victims or working harder. Similarly, requiring multifactor authentication adds another roadblock for threat actors because just stealing credentials is no longer enough. There are many types of MFA to fit the SMB’s budget and security expertise, ranging from biometrics to hardware tokens or even just using the employee’s phone.
Attackers are economic actors, just like any other business, Kirner points out. “When they run out of time, they’ll go to an environment with less security controls,” he says.
3. Improve Your Security Hygiene
Good security hygiene is important, regardless of company size.
The first step is to build an internal security culture around cybersecurity awareness and guidance, explains Dave Gerry, CEO at Bugcrowd. That doesn’t just mean watching security videos and calling it done. Encourage open communications and give employees the confidence to report anything that seems suspicious.
Explain which external services and resources are allowed and why there are restrictions. Make it easy for employees to go through an approval process on getting access to tools so that they aren’t just going off and creating their own accounts.
Utilize modern training materials. Security companies are now producing training videos that are episodic, like sitcoms, or use techniques from reality shows that entertain as well as educate.
Gamification, such as setting up contests or offering rewards when designated milestones are met, also create an environment where employees want to improve their security practices. Human error is a top cause of cyberattacks. When employees are encouraged to take an active role in cybersecurity and understand the consequences when they don’t, you add another cybersecurity tool at little cost.
4. Don’t Fail to Plan
Prevention is important, but every organization should have a plan in place to mitigate the attack when it happens. The company should know who will be involved in mitigation and recovery, as well as how to handle the negotiations.
For example, because of the possibility that the ransomware attack can lead to permanently shutting down small to medium-sized businesses, many plan to pay the ransom. That requires setting a budget on how much to pay. If the organization does not already have a cryptocurrency wallet or access to cryptocurrency, that will make paying a bit difficult. SMBs are already working with managed service providers, consultants, and contractors. It may be worth lining up a ransomware negotiator ahead of time, so that they can spring into action when needed. Also worth lining up proactively: a computer forensics team to help figure out what is happening on the network and how to remove the ransomware.
Priority No. 1 has to be a strategy, says Joseph Carson, chief security scientist with Delinea.
A ransomware attack isn’t a typical incident, Carson points out. It will make you unavailable to your customers and, in worst-case scenarios, put lives at risk. No matter how small your budget, it is essential to think about what ransomware defense should look like but to also plan out what is needed for a successful recovery.