Ransomware attacks are on the rise. Many organisations look at their business profile and dismiss the possibility of attacks in the belief that they are too small, too obscure and don’t have enough money to make it worthwhile for attackers to bother.
Well, here’s the reality of the situation and it comes down to the law of the jungle. Big organisations can afford the best security, the best security people and have deep budgets for security in general, but also can pay their way out if they so desire.
Small organisations lack all those things and that makes them a better target. It takes real effort to successfully attack and damage a large organisation, but smaller organisations are easier targets as they are often budget-constrained on updates and security practices.
The harsh truth is that attackers can be more successful and attract less law enforcement attention by going after multiple small organisations. Plus, those behind the ransomware typically don’t ask for ridiculous amounts of money but funds you can afford. And they do it over and over again with similar-sized businesses.
It is time for SMEs to get serious and stop pretending that they are somehow immune to these attacks because they believe they don’t stand out.
Ask yourself this question: If every ‘live’ system I use today, including email, documents, spreadsheets, billing, website and phone system all just stopped because of ransomware, how much damage could it do? Lost sales, sure. But what about lost reputation? Damaged business relationships because you missed meetings because your calendar was encrypted? Lost business opportunities because potential customers suddenly can’t get hold of you? How long would it take your IT department to get you back up and running? Do you even have a plan for business continuity? Many small businesses do not.
Talk to your IT department and the companies you closely work with to make sure you have business continuity plans in place, that you are running the latest security software, and that you are not nursing vulnerable ancient systems under the guise of saving money. Beyond empowering your IT department, it is crucial to handle the human element. Edicts that come solely from IT often lack weight and urgency. As a business owner or manager, it is important that the security directives come from you, and carry the weight of senior company management. You need to show that this is a company-wide issue, not just an exotic edict from IT. You need to handle these people and procedural roadblocks while making sure that IT provides the reasoning behind them so everybody is on the same page.
Now is the time to get it right with security and business continuity, not when your business is halted by an attacker. Not sure where to start? Contact your local value-added reseller. Or there are chief security officers for hire who can advise you. But don’t wait.