Small business, big target: The rising threat of ransomware

In late 2019, a telemarketing company in the Little Rock, Arkansas, area fell prey to a crippling ransomware attack. The Heritage Company employed about 300 people when hackers demanded a $100,000 payment to restore access to the 61-year-old firm's servers and all the information contained on them.

The company temporarily furloughed its entire workforce as it tried to regain control, but eventually paid the ransom in exchange for a decryption key that was supposed to work. It didn't. The Heritage Company then ceased operations forever.

Despite their small size -- perhaps because of it -- this business found itself squarely in a cybercriminal's crosshairs, demonstrating a sobering reality: small does not mean safe in today's threat landscape.

According to cybersecurity firm SonicWall's mid-year threat report for 2024, there were an estimated 199.7 million attempted ransomware attacks in just the first six months of last year. That represented a 20% increase over the same six-month period in 2023.

Manufacturing, retail and healthcare sectors were the top targets, with attacks spreading to smaller professional firms and government offices.

For too long, many small business owners have assumed they won't be targeted, although it appears the criminals see them as easy targets. And even if you're one of the lucky ones who survive a ransomware "kidnapping" of your servers, you'll still suffer beyond ransom cost. Customers may decide to go somewhere else, the downtime alone will cost business, and you could be liable for fines (can you say HIPAA?) and legal fees.

Ransomware attacks are one of the most common cyber threats, as are phishing scams, and they often work hand-in-hand to install malware to cause damage or gain access to a target.

No matter how small your business, here's a quick blueprint for strengthening your defense against common cyber threats.

Where are you vulnerable?

Small businesses don't have IT departments, and many don't have the know-how or time to review and assess everything that should be looked at, let alone fix vulnerabilities discovered in a technology audit (cataloging current hardware, software, network configurations and so on, as well as identifying and labeling customer info, financial records, IP, and other sensitive data).

This is why hiring an outside security compliance vendor makes the most sense. For a small business, a single, in-depth security and compliance review, you're likely looking at $5,000 to $15,000 as a one-time project. Ongoing services can range from around $1,000 to $3,000 per month (or more) based on the level of support and monitoring you need. It's generally wise to invest in a thorough audit, as the cost of recovering from a breach can far exceed proactive security measures.

Your team is your first line of defense

Security is only as strong as your weakest link. You need to invest time in creating clear and unambiguous policies on the dos and don'ts for emails attachments, external links, remote access, downloads and more. These need to be easily found in your company handbook (you do have a company handbook, right?) and reviewed and updated regularly.

Train your team in basic cyber hygiene, to keep security top of mind. Consider employing a phishing simulation platform, where you can safely send your team a test email and see how they performed and what can be improved. Make it fun. Reward good performance and frequently use your soft skills to show your appreciation.

For managers and senior leaders, develop an incident response plan. It should contain the procedure for when you detect a breach, how to contain it, recovery, and how to communicate about the incident. To ensure preparedness, hold table-top exercises now and then.

Speaking of cyber hygiene...

Are you doing the basics? How strong is your firewall and anti-virus protection for your networks and users?

Passwords should be complex and regularly reset. Use a password manager to reduce weak credential risks - we're nearly two full generations away from "password123" but it's still a lazy go-to for many even today.

Now look at your standards for backing up data. Are they done daily, weekly, never? Backups should also be stored securely offsite, and you should check your restore processes on a schedule to confirm data integrity.

Also consider simple and budget-friendly measures such as anti-malware tools and basic monitoring apps. Low-cost subscriptions offer robust features like centralized management dashboards, advanced reporting and dedicated support.

Have a zero-trust mindset

Today, it's safe and smart to assume no user or device is automatically trusted. Instill this idea in your team. Ensure that devices used on your network - phones, tablets -- have multi-factor authentication turned on.

Segment your network by breaking it into smaller, isolated sections. That way if one part is compromised, an attacker can't easily access your entire network. Think of it as having separate, locked rooms within your digital office -- if one door is breached, the others remain secure. Tools like virtual local area networks and firewalls let you control which areas communicate with one another, protecting sensitive information and often improving network performance. This way you can boost cybersecurity without overhauling the entire system.

Finally, consider getting cyber insurance. Policy premiums for small to medium-sized businesses can vary widely depending on factors like company size, industry risk, revenue, coverage limits, and existing cybersecurity measures. A small business with a modest risk profile might secure a policy starting at roughly $1,200 to $2,000 per year for around $1 million in coverage, and prices go up from there depending on company size, industry, and what you want to cover such as business interruption, legal liability, and data recovery costs.

The bad guys are constantly evolving. Some of them have entire organized criminal rings or even state-sponsored actors behind them, demanding their efforts haul in lots of cash -- your cash. Remain vigilant, so your business can stay healthy and productive for decades to come.

Harry H. Kazakian has excelled as the founder, chief executive officer, private investigator, and claims adjuster at USA Express Legal & Investigative Services Inc. Through expertise in insurance claims and criminal and civil matters investigations -- from bad faith consulting to wrongful death -- he and his team at the Los Angeles-based firm have successfully defended various clients across several types of cases. He can be reached at: www.usaexpressinc.com or 877-872-3977