Even while other business activity is down, ransomware remains a threat. The biggest mistake people can make is assuming they’re too insignificant to be a target.

According to the 2019 Verizon Data Breach Report, ransomware is the second most frequent malware attack behind (C2) attacks, and events of 2020 have contributed to new spikes in such attacks.

Techopedia reached out to the experts to get insight into the nature of ransomware attacks and what steps businesses should take to protect their data.

Ransomware Can Have Serious Consequences

Dale Penn, the author of Identity Theft Secrets: Exposing the Tricks of the Trade and President of the Privacy Awareness Academy, an online cybersecurity education company explained that when data gets out, the company that was entrusted with it can be held liable, and failing to foresee the possibility of an attack will not stand as a legal defense.

“One of the consequences of a ransomware attack is often the release of extremely sensitive data into the wild. Business owners and boards understand that regulators (such as the Securities & Exchange Commission) will hold them legally responsible for mishandling either their preparation for or response to the inevitable aftermath of an organizational data breach.”

Oliver Noble, an encryption specialist at NordLocker explained that such attacks can cost businesses “millions in fines and compensations,” though even without that, the cost of lost business alone is substantial. They have to cover the losses due to downtime, canceled orders and operations, which can easily run hundreds of thousands of dollars for the average business.

Noble noted that the damage is not measured just in the short term, though about two-thirds of the damage strikes within the first year.”

According to a study conducted by the Ponemon Institute, if an organization suffers from a data breach, the costs may carry over for years. That means that a company that does not have the resources to carry it through for a sustained length of time could be completely destroyed by just a single attack.

A Possible New Peak Ransomware

Noble noted that ransomware was considered to have reached its peak in 2017 and that attacks appeared to be in decline. He attributed that to the fact that most of the vulnerabilities that had come to light as a result of the attack had been patched.

He did add that this did not mean one could be complacent: “Business organizations with outdated systems and a lack of ‘cyber hygiene’ could still be susceptible to such attacks.”

Indeed, even when you think you may be in the clear because things have settled down, along comes something that can reactivate the danger levels. According to the very latest figures, there has been an uptick in ransomware attacks in the wake of the pandemic.

Carbon Black reports that this past March “ransomware attacks increased 148% over baseline levels from February 2020.” It found correlations between the uptick and news on the pandemic, “suggesting attackers are being nefariously opportunistic and leverage breaking news to take advantage of vulnerable populations.”

Many of these are aimed at individuals rather than businesses, though with many individuals now working at home and pulling data from work through their own internet connection, businesses do have to be concerned.

That was one of the concerns addressed in Cybersecurity Concerns Rise for Remote Work.

However, there is a silver lining to that particular cloud. As Penn observed: the news reports on this will make more people aware of the need for people to be properly trained and educated about the risks to cybersecurity.

Penn pointed out:

Thanks to the vulnerabilities presented by the rapidly increasing army of remote-workers in the post-COVID era, cloud-based employee privacy awareness training has taken its rightful seat at the table in the corporate risk management and information security ecosystems. Information Security isn’t simply about information or security; it’s about people.

Have People Become More Educated About the Threats?

“Over the past few years, we noticed an interesting privacy paradox worldwide,” Noble noted. Even while people have become more aware of security issues, they don’t think of themselves as targets because they don’t believe they are 'important enough to be spied on, tracked, or hacked.'”

Noble considers that to be “one of the most significant cybersecurity issues worldwide, as it keeps people away from using even the simplest security and privacy solutions and tips.”

He sees as the reason why you find “the most popular password worldwide is ‘password,’" that many allow geolocation tracking, rarely update their devices, do social media quizzes, and give away their sensitive data without even thinking about it.”

They also may have mistaken ideas about what hackers go after because of media hype. Noble referred to the 2019 Verizon Data Breach Report that estimated 43% of cyberattacks target SMEs.

The reason you don’t hear about them as often as they occur is because “the media focuses only on the big hacking scandals.”

Banking on the principal that if it’s not reported, it’s not happening, smaller business owners come to believe that hackers will only go after the bigger companies, which is not at all the case.

Back in 2016, Marcin Kleczynski, CEO of the cybersecurity company Malwarebytes, told Business Insider: "We see companies from 25 people all the way to 250,000 people getting hit with ransomware."

What Do Businesses Typically Do that Makes Them Vulnerable to Ransomware?

Noble said that while some businesses have the financial resources to hire cybersecurity specialists, smaller companies usually consider that beyond the reach of their budgets.

In addition to not having the expertise of personnel, “they also tend to not have enough general knowledge about safety online, such as password security."

That’s what makes them easier to hack than larger companies, and they are tempting targets.

“Even if they don’t have vast amounts of data, these businesses have ties to larger enterprises. Hackers can gain entry and find a treasure trove of information that can range from financial data that can be used for fraud to personal information valuable for identity theft.”

Accordingly, businesses would be wise to consider averting the attack by following best practices.

Noble offers six recommendations to be proactive about security.

Noble’s 6 Recommendations For Businesses

1. Educate your team members.

Because individual mistakes end up affecting everyone on the team. Invite a cybersecurity expert to host training for your company.

Your coworkers must learn this by heart: never download attachments or click links from unknown sources. Try updating them about the latest data breaches or recently detected technological bugs.

Discuss social engineering tactics and phishing attacks as well. You can use anonline cybersecurity test to understand how much they know about digital security.

2. Secure all your smart devices.

Almost any gadget connected to a network can get hacked. Thus, you need to acquire an accurate list of all work-related inventory and accounts.

It’s necessary to change all default passwords of every device in the office. Also, each employee must have their credentials with an assigned role for each account used.

Limit admin privileges, especially for accounts that have access to the most important documents.

3. Secure all your data.

Hackers may access all the files on your system and track your activity online if your data is not encrypted. A reliable business VPN service provider can encrypt the online traffic of all your employees. It ensures that your digital resources are safe when the staff needs to access them.

It’s also a great solution when working remotely from home or while traveling abroad.

4. Always update your devices.

This can fix security vulnerabilities and system bugs, which may otherwise cause safety issues. The same goes for software, too. Make sure to renew your firewall and antivirus programs as well. That will keep your devices secure and protect them from the latest viruses.

5. Do backups.

To reduce the damage of any potential ransomware attacks, maintain periodic secure data backups. Although cloud services come with their own privacy concerns, a periodically updated and secured backup will guarantee access to your files in the event of hackers locking you out of your information.

6. File encryption.

Start encrypting the information your company handles. If you use file encryption tools, for example, NordLocker, even if hackers manage to steal your files, they won’t be able to access their content which means they won’t be able to threaten you with exposing the data publicly. The best way to keep your valuable information safe is to encrypt it and back it up in the cloud so hackers wouldn’t be able to threaten you with wiping it.

Moreover, encryption helps protect confidential data from prying eyes when sharing it with clients or among members of staff.

Should Businesses Pay the Ransom When Attacked?

The answer to that is not a simple yes or no.

The response for a company “depends on how deep into the network ransomware got and how critical it is,” Noble said .

In fact, according to the Sophos report, the majority of businesses (94%) were able to get back the data encrypted by ransomware. And most of those 56% succeeded in doing it without paying ransom, thanks to their backups.

Only 26% paid.

That percentage split indicate that businesses are getting more savvy about preparing for possible attacks.

Noble says that paying the ransom immediately is appealing because they believe it’s the fastest way to get up and running again.

“Usually, the ransom will not drive businesses bankrupt; however, a hit on the reputation might cost much more, if the fact about the attack becomes public.”

Noble said the mistake here is assuming the hackers will keep their end of the bargain when they may pocket the payment without releasing the decryption keys. As he pointed out, paying the ransom won’t necessarily help, as was the case with NotPetya.

The stats on the costs associated with those who pay ransom versus those who don’t also indicate that rewarding ransomware may not be a smart business decision. According to the Sophos report, in the U.S. the cost of ransomware is $732,520 for organizations that don’t pay the ransom, and $1,448,458 for those that do, which suggests that paying criminals is note cost-effective.

Given those facts, Noble recommends that companies that do get attacked don’t act hastily and pay out of panic but take counsel from cybersecurity specialists. They can give the best advice about what to do.

Those that have good backup can recover the data that way, though Noble points out that doesn’t mean the company is completely in the clear. It’s possible the hackers have made copies of your company data that should have been secured.

Final Thoughts

Noble’s conclusion is “only extensive preparation for attacks can bring some positive results.” That’s why regular, secure backups are essential. They are the ounce of prevention that can help avert the heavy cost of a pound of cure.