Ransomware can kill a business

Andy Halsall Security, Technology

If you run a small business, protecting yourself from ransomware and other online threats could be the difference between success and failure.

The aptly named, ‘WannaCry’ ransom-ware attack attracted more attention than most online security threats and rightly so given impact it had on the NHS, and elsewhere. But it is only one small part of the current threat picture in the UK.

Like most ransomware attacks, ‘WannaCry’ went after Windows computers. ‘WannaCry’ essentially had one purpose, to find and encrypt any data it could get hold of, so that it could extract a ransom payment in Bitcoin, and it seems it did at least the first part of that very well.

The attack started on the 12th of May and was unprecedented in scale, in a very short period it was a global threat. It left many of its victims having to shut down and restore large portions of their systems, some lost data, some were unable to operate whilst their disaster recovery plans swung into place. Everyone affected ended up paying a significant cost, either in lost data, time or the effort required to recover from a nasty infection.

But in many ways, the threat posed by ‘WannaCry’ was far from unique. Ransomware is not new, it has been a rising threat for some time and it’s not just a problem for large companies.

In fact there is a strong case to say that small businesses, the backbone of our economy, are far more at risk and far less well prepared than their larger counterparts.

The business of vulnerability

 

This year’s DCMS Cyber Security Breaches Survey showed that 46 per cent of companies detected security breaches in the last 12 months. Ransomware made up 17% of attacks, a statistic that is likely to rise if companies don’t put in place measures to protect themselves. After all ransomware is common, offers easy returns for cyber-criminals and can spread like wildfire in an unpatched environment.

As a threat it isn’t just aimed at large businesses, hospitals and banks, quite the reverse. The criminals behind these attacks are increasingly targeting smaller, more vulnerable organisations, balancing a smaller potential reward with a a higher likely success rate.

In the US, ransomware was identified by the Department of Justice as one of the “biggest security challenges faced by the US in 2017″

“While much attention is paid to what must be done to bolster the cyber defenses at federal agencies and large businesses, all of us is vulnerable to online scams and emerging dangers like the malicious computer virus known as ‘ransomware.’ ”
– Homeland Security and Governmental Affairs Committee Ranking Member Tom Carper (D-Del.) and Chairman Ron Johnson (R-Wis.)

Small, agile and vulnerable

 

IT Security is a threat to offline businesses, whether they sell sweets, saw blades or anything in between.

For a small business, being unprepared for a ransomware attack could well be fatal. Even for entirely ‘offline’ businesses, the impact of a loss of records, invoices, stock information, payroll, VAT and tax data comes with a huge cost.

For a lot of business owners, whether they are running a corner-shop, plumbing business or hairdressing salon, computers are just a way of getting things done more easily. IT isn’t seen as ‘core’ to the business, in many cases it’s one laptop, a CCTV system and some tills.

Lots of a small business, IT system may not seem like IT at all. VOIP telephones or remotely accessible and manageable CCTV systems are often seen as self-sufficient black boxes that can be bought, installed and then left to do their thing. The cheapest, and often very popular solutions come with little or no support, firmware/software updates are limited and little consideration is given to ensuring they are secure by design, or have ‘sane defaults’.

When it comes to internal ‘technical support’ new and small businesses often turn to their most IT literate staff members or simply rely on friends or poorly qualified third parties to provide support when something goes wrong.

Even for those where IT is core, some SME’s don’t have the right policies in place or sufficiently experienced staff to manage the growth in equipment, software and data. Unpatched software is common, backups, where they exist, are often not tested. In many environments, backups are just as at risk from ransomware as the organisation’s live data.

Even just identifying risks can be hard, especially as they aren’t all present in the computers that the small business owns. Many small businesses are using hosted services that may themselves be at risk from attackers, and not enough are ensuring that they have backups of that remotely hosted data.

When it comes to customer and supplier data, the risk becomes even greater. Not only is the loss of that data to a ransomware attack a blow to the business, but a breach also comes with the potential to harm customers, and the reputational damage that would cause.

Taken together, that creates an environment where even easily preventable risks can become critical.

Selling the idea of Security

 

It doesn’t help that security vendors can make a comprehensive approach seem both excessively costly and overly complex. When that complexity and cost comes with very little obvious benefit, it’s easy to see why there is a problem.

“… All recent high profile cyber-attack incidents could and should have been prevented with relatively low cost solutions. It is necessary to simplify everyone’s understanding of the threat… It isn’t either expensive or complicated to understand and manage these risks. But while it is still made so, the figures in these reports will continue to grow and we will be no safer.”Brian Lord, former GCHQ deputy director for intelligence and cyber operations

Security should be a consideration whenever you buy an IT asset

It’s not all bad news though. The number of small businesses that update their software and maintain up to date malware protections is increasing. Software vendors themselves have been pushing sensible defaults to nudge their users into good proactive. The ever falling cost of both on-site storage, and offsite backups means that ensuring a business can recover from a serious incident is cheaper and more attainable.

For most small businesses there is no requirement for complex solutions or expensive infrastructure. Basic security processes will eliminate the bulk of common issues, and a robust but simple backup and recovery plan will mitigate the impact of anything that does get through.

To a certain extent WannaCry may even have a silver lining in that it increases awareness, the nature of the attack means that more small business owners should take note.

“Ransomware is an easy thing to communicate to people, because you can show it working, and most people can get the scaling factor of it – if this gets on my machine, then gets on 200 more machines, gets on all the systems – it brings it home for a lot of people.”
– A Medium Business (DCMS Cyber Security Breaches Survey 2017)

Getting it right

 

If you run a small businesses, there is a lot you can do now that will reduce your risks. Taking into account the following 5 steps will help you build a solid foundation and mitigate many of the risks your business faces, best of all, it’s simple and most small businesses can do it on their own.

Risks

  • Know what IT equipment, software and data you hold.
  • Understand how your business stores and transports data.
  • Know who has access to your business networks and data.

Backups

  • Make sure you have backups of your important data.
  • Test that you can restore your important data.
  • Ensure that you have copies of the data safely stored with a third party.

Patch

  • Keep software up to date.
  • Make sure that any network connected appliances are kept up to date.

Passwords

  • Make sure you use strong passwords.
  • Don’t reuse passwords wherever possible.
  • Remove access from those who don’t need it.

Invest

  • Invest in the right security when you invest in new technology
  • Invest in training for your staff

Lastly take a look at the governments advice for business, you don’t have to spend a lot of money to keep a business safe.

 

If small businesses, their owners and their staff can improve their awareness of the risks, and take the relatively small and simple steps to protect their data and IT systems from attack, they will significantly reduce the risk of their business suffering a catastrophic loss. That’s something worth thinking about.

 

Andy Halsall
Andy is a commentator, analyst and campaigner with a background in intelligence analysis and a focus in crowd-sourcing, policy, media and security. He has 15 years of experience working on the sharing economy, emerging technology trends and has created and led national, issues based media campaigns.

He leads on Open Intelligence Facilitation and Advocacy offers.

Working internationally he has negotiated on positions with partners in Germany, Spain, France, Australia the US and Canada, as well as working with commercial, governmental and academic partners in the UK to deliver projects and provide analysis.

Andy has appeared on television and radio, including the BBC, on subjects ranging from data protection, security, policy and politics, and has written for publications including the Guardian and Public Service Europe.