Ransomware has evolved into a billion-dollar enterprise, affecting two-thirds of small to medium-size businesses in the past 12 months, the Ponemon Institute and Keeper Security reported in a recent study. Yet many in this group most often targeted by cybercriminals do not feel an imperative to make cybersecurity a priority. Blame it on the number of publicized attacks highlighting big companies, municipalities, or just about any organization in the healthcare sector— and something even more prevalent: a false sense of security in data backup technology.

“I don’t think it will affect us very much; we have backups,” is the refrain risk management expert Tom Held believes most often hears when his company, consulting firm The Oakland Group, recommends a risk assessment. The problem is, some companies do not know how effective those backups are or if they have enough barriers in place to get them up and running quickly if their system is infected. This is why Held recommends a risk assessment as a first step for distributors to start shielding their businesses from ransomware attacks. Wrapping your arms around the risk starts with taking stock of the data. 

“It may surprise you that many companies do not have an account of all the locations where their data resides,” says Held. “We try to make this easy for the nontechnical owners and managers by getting them to think of data in three simple states: At rest (on a hard drive), in transit (over the network, internet, or in your pocket), and in use (in an application, in a web browser, on your screen, etc.).”

Cost is often a major deterrent for small businesses contemplating an investment in cybersecurity. “While it may sound irresponsible to law enforcement and cyber pros, most small business owners are aware of the risk and tell us that spending a few thousand dollars a year on cybersecurity may end up being far more than the cost of a ransom,” says Held. “Still, much can be done without spending a fortune, such as periodic, offline backups, awareness training and phish tests. 

“We try to encourage them to do something, anything to prevent an attack,” adds Held, who likens a backup to a placebo for companies that do not have a backup strategy.

Without one, your backup data could be vulnerable to ransomware and other forms of malware. Since many backups are online 24/7, that means they’re connected to the same network everyone else is connected to, making them more susceptible to strains looking to delete or encrypt backup files as they worm their way throughout a system during reconnaissance.   

External drives connected to laptops is another potential point of entry. “When it comes to ransomware,” says Held, “it’s about avoidance and recovery, and recovery is about backups.”

The other half of the equation to ensure a speedy recovery is testing backups and making sure that IT and leadership are on the same page with expectations. Does this sound familiar? An executive asks IT if the company has a solid backup plan. IT confirms that there is a system in place to recover data. The executive confidently walks away, “but no one discussed a timeframe,” says Held, who recalls years ago working with a large company on a disaster recovery project after 9/11. 

“During the roundtable exercise,” he says, “they set up all their new hardware in a disaster scenario and then turned to the IT team and said, ‘We’re ready to get our backup from [an off-site data and document storage service]. How long will it take to load?’”

The response from IT: 72 hours. That’s a long time to be without customer data. Think about your recovery in stages, advises Held. What do you need to continue to be operational if your files are encrypted? Is your historical data lumped in with the data you need to get back online? If so, it will slow your recovery.

“Typically, companies have a backup that’s loaded on a tape and taken offsite, or it’s in the cloud,” says Held. “What some fail to do is simulate an attack and back up their entire system after hours or on the weekend. Instead, they hope that they will be able to recover in a short period of time. A lot of times they can’t.”  

Learning from the Trends

The first ransomware attack occurred in 1989 when AIDS researcher Joseph Popp distributed 20,000 floppy disks to fellow researchers, claiming it housed a program that analyzed the risk of acquiring AIDS using a questionnaire. Instead, it contained a malware program (later referred to as the AIDS Trojan) that remained dormant until a computer was powered 90 times. Once it reached the threshold, files on the C drive were encrypted and the program displayed a message directing victims to send $189 to a P.O. Box in Panama.

Now, CryptoWall, WannaCry and NotPetya, require their victims to pay their ransom in bitcoin. Cybercriminals prefer it because it allows them to bypass the banking system and protect their identity.

“Imagine being locked out of your system and having to communicate with a criminal via a chatbox,” says John Sileo, the author of Privacy Means Profit: Prevent Identity Theft and Secure Your Bottom Line. “They’re walking you through how to pay in bitcoin because you’ve never paid in bitcoin. You pay. Fifty-percent of the time they unlock it and in the meantime the worm has burrowed its way into your neighbor’s computer.”  

His advice: Never pay the ransom because it marks you as a future target. Also, there’s been a disturbing trend toward saturating inboxes and social media with more weaponized ransomware. “So, instead of just freezing your assets and demanding blackmail, they’re freezing your assets, demanding blackmail and then destroying the assets, or leaking the assets so that you are part of a breach,” says Sileo. “That destructive nature has really changed the playing field because now you not only have to worry about paying a ransom, you don’t know if your system is going to be destroyed after you pay it.” 

Other upgrades include more sophisticated tactics surrounding delivery methods and point of entry. Instead of just worrying about clicking on a malicious phishing email, now employees must be leery of text links, banners and social media ads offering them a freebie from their favorite fast-food spot. And thanks to the growing popularity of island hopping, more employers are now weighing the vulnerability of their supply chain partners — and their partners. Leveraging the weaknesses of a smaller target, the practice involves gaining access to a larger organization by infecting a vendor with fewer barriers. 

Cybercriminals are using island hopping in half of all attacks, according to security vendor Carbon Black.  

Equally disturbing is the stealth and sophistication that hackers are pouring into their work. “The biggest change in ransomware within the last two years is a type of consolidation with targets,” notes Held. “We have seen this with the ransomware attack on city governments in Texas and recently, here in the Milwaukee area, with an attack on a cloud software company.”

Many of the more than 100 nursing homes serviced by Milwaukee-based Virtual Care Provider Inc. are still scrambling after the IT and data storage company said it could not pay the $14 million ransom Russian hackers demanded this past November. According to security firm Hold Security, the hackers used email attachments to cripple its system over a 14-month period.

“Every company should be preaching cyber risk management to its partners,” says Held, adding that because of intel, ransomware hackers often know how much they can squeeze from their targets. “Island hopping can happen in any direction,” he says. “The big Target breach was initiated by a phish email at an HVAC contractor (and some bad network design decisions). These ransomware hackers are savvy. They can find the weakest link with the greatest access and phish that company.”

What You Can Do Now to Protect Your Business

A little over a year ago, the head of the IT department at inventory management and software solutions provider RF-SMART heard that one of its customers had been infected by ransomware. The customer did not pay the ransom and it was able to quickly recover because of a sound backup strategy. The incident paired with an already growing sense that it was time to beef up security. Director of IT Chris Bak asked RF-SMART’s CEO if he could increase its cybersecurity budget. After getting the nod, Bak begin building a program around addressing what he and cybersecurity experts agree is the weak link in most organizations.

“Initially, our goal was to deploy more hardware and software at the threat but with the understanding that our employees are the last line of defense,” says Bak. “If we could train them not to open an email or click on a link, it would be an effective deterrent, so we shift the focus.”

Buy-in starts with engagement — an act that does not involve setting new policies or procedures. Instead, “you have to make it personal,” says Sileo, a victim of identity theft who knows firsthand what it’s like to be a target. “Showing your employees how it affects them can be as simple as relating it to their smartphone or personal computer.” 

Before rolling out the new security program, Bak begin prepping RF-SMART employees with an inexpensive cybersecurity quarterly newsletter highlighting pertinent news stories, mainstream and niche-based, in addition to how-to tips and preventive measures, such as what to look for in malicious emails and links. 

“We are a tech company, so the interest was high from the start,” says Bak, who ended each newsletter with a reminder to think before clicking. “I constantly had people coming to me saying that they had experienced similar incidents at home, or staff reporting back to me about the emails they received.”

For the next phase of the cybersecurity program, he turned to security awareness training company KnowBe4, which provides RF-SMART with a mix of quarterly training videos and monthly phishing tests. The videos range from 45-minute instructional material with must-pass quizzes to shorter two- to four-minute cartoons that touch on a variety of security issues. 

While Bak would argue that the phishing tests have been the most effective training tool out of the three, he thinks employees would probably lean toward the videos since several have asked for permission to show them to family and friends. 

It took roughly four months for employees to realize that IT was sending out phishing emails — but both Bak and Held say it doesn’t matter if employees are aware of the tests. The exercise is about educating them about the threat — and there are several. RF-SMART’s tests run the gamut, financial banking material, fast-food deals, social media links. 

“We want them to see it all,” says Bak. “We recently did training on social-engineering attacks that touched on spear phishing and how cybercriminals use certain aspect’s about an individual’s life to make more convincing emails.”

Fourteen months after getting the nod from leadership, RF-Smart has seen a dramatic drop in clicks. Thirty-three percent of its 220 employees fell for the bait during the first phishing test, compared to 1% for its most recent. It works, says Bak. 

Held agrees. “One of the best deterrents is a solid, ongoing phishing security testing program,” he says. “For some business types, where phishing is a large risk (attack vector), we suggest investing in a subscription to a cloud phishing test service and running year-round testing. The interface allows them to manage it internally without much technical background. It allows them to get more creative and even build competitions through the program.”