SMBs Are Not Immune From Ransomware Attacks

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Business Review
March 26, 2021

Hackers are intentionally targeting small and medium sized businesses (SMBs), and are likely to continue doing so for the foreseeable future. Headlines certainly have exposed recent breaches of large and sophisticated companies (like Marriot, Equifax and Yahoo!), big governments and agencies (like the federal Office of Personnel Management and State of Texas), and prominent educational institutions (like Harvard and University of Connecticut). But, it would be a mistake to believe that hackers target only those types of organizations.

No business is immune from cyber threats. In fact, small and medium sized business are just as valuable targets as large organizations, because we commonly possess significant amounts of sensitive personal information about customers, vendors, employees, students, etc. Also, SMBs are generally more vulnerable, because we often do not have comparable resources to invest and have not allocated the time required to implement appropriate safeguards.

Sophisticated Ransomware Is Unavoidable

Ransomware attacks perpetrated a few years ago typically only encrypted computers and servers, yielding a demand for ransom to obtain the decryption key. Cybersecurity evolved to counteract that threat, particularly through a combination of advanced activity-based applications that detect ransomware activity and deactivate systems before all data is encrypted, with robust backups that can be used to restore encrypted systems.

As a consequence, hackers evolved too. Now, sophisticated ransomware is typically undetectable by routine anti-malware, and both extracts data from computers and encrypts it. Thus, if the target business refuses to pay the ransom to decrypt its systems, the hackers re-demand ransom to refrain from selling the stolen information on the dark web.

No Target Is Too Small, and No Business Is Ignored

In years’ past, hackers may have focused more of their efforts on larger businesses that accumulated credit cards, social security numbers, governmental identification numbers, financial information, and health information. That is not true anymore.

Because big firms generally have invested in cybersecurity, smaller ones are now much softer targets. Also, while the foregoing information remains generally valuable, some of it (like SSNs and governmental IDs) have been broadly compromised already, and other types of information (like credit cards and financial accounts) are surrounded by sophisticated protections.

Broader personal information is now equally or more valuable for hackers to perpetrate identity and financial crime. For those purposes, the information that small and medium sized commonly collect is prized, like information about financial and business transactions, travel, purchasing activity, family relationships, social interactions, usernames and passwords, etc.

Moreover, hacking has increased its efficiency by industrializing the criminal enterprise. Criminals now specialize in code writing, phishing, deploying attacks, collecting and aggregating data, perpetrating crime, etc. That efficiency, in combination with greater automation in phishing and deploying attacks, have enabled hackers to exponentially expand their target population.

We All Can Afford Cybersecurity, and Can’t Afford to Ignore It

Two big hurdles faced by small and medium sized businesses are a lack of knowledge about how to address cybersecurity, and a misconception that doing so will be too expensive or disruptive. Neither are prohibitive barriers.

With respect to the first issue, many articles (including those published here) and other resources (such as through the National Institute of Standards and Technology or NIST) exist to educate us on this topic. Also, the market now has a greater selection of information security professionals qualified to provide services to a wide variety of small and medium sized businesses.

With respect to cost, there is good news for SMBs. Their relatively smaller technological and physical footprint generally makes it is easier and cost effective to assess their vulnerabilities and implement reasonable safeguards. By contrast, larger companies commonly have established technology systems and physical facilities that may have been designed without addressing current cybersecurity controls, which means that they may have more vulnerabilities that can be costly and operationally challenging to mitigate. Additionally, all businesses allocate a certain amount of resources to technology, and an experienced professional can help configure that same budget to incorporate cybersecurity safeguards with limited additional cost.

The business leaders who have experienced hacks know all too well that we cannot afford to ignore these risks. Ransomware cripples a business for days or weeks, can be exorbitantly expensive (particularly if a business has no insurance coverage for it), and often results in lost customers and revenue. Hackers will continue to target small and medium sized businesses. So, SMBs need to take action now to protect ourselves.