For much of ransomware’s evolution, many small and medium-sized businesses (SMBs) have failed to embrace the idea that they are ransomware targets. After all, why target an SMB when Fortune 500 companies have the much deeper pockets? Seemingly, a hacker is far more likely to attack Walmart than Walter’s Corner Market. But that confidence is rapidly evaporating.
“There is great concern when we talk to small business owners in our region,” says Ken Hallman, Founder & Chief Executive Officer Hallman Group Ltd, an MSP in Calgary. Most of Hallman’s clients are SMBs. Hallman attests to the changes that he is seeing from clients about the threat posed by ransomware.
No SMB target is ‘too small’ anymore
“Just 3-4 years ago nobody was interested in my information or data,” Hallman notes. But he adds that in the last two years, ransomware has become commonplace, a staple of local news. Now, suddenly, his clients are clamoring for more information.
“In our city and surrounding areas alone, we have seen breaches in colleges/universities, art galleries, construction companies, and municipalities,” Hallman points out, with some verticals more exposed than others. And that is just in Calgary. The problem is occurring everywhere and SMBs are now bearing the brunt.
“The thing is that an SMB’s size actually make them more of a target and not less,” advises Alan Tucker, a cybersecurity consultant in Phoenix. “The reason is that a successful hack on a major company is usually met with overwhelming return firepower. A huge company can respond with resources, system redundancy, and a whole toolkit to make the hacker’s lives tougher.”
But the corner drugstore? No. No corner drugstore will be brought to their knees and the owner may be more likely to simply pay the money so they can get on with their business. Tucker says that this has now created an odd inverted dynamic where the companies that are the most vulnerable are usually the ones that can least afford a hack.
According to Insureon, 71 percent of the targets of ransomware attackers are now SMBs costing up to $20 billion a year.
“Small businesses often lack the security or training to prevent an attack,” Insureon reports. That is a sentiment Hallman agrees with and he points to healthcare particularly vulnerable.
“The very concerning numbers are in healthcare and the ramifications are extreme,” Hallman states. Health-related businesses contain tranches of PHI that can be very valuable to hackers.
Ransomware problem will get worse before it gets better
“The main reasons for this are that small business owners are known to not invest in IT security, or in security awareness training. The bad guys view small business owner as low hanging fruit and easy targets,” Hallman says. His MSP does offer awareness training as a part of his service package.
Small businesses, Hallman adds, are overconfident and underprepared. That’s a bad combination. Hallman cites some sobering statistics among the data that his clients are now eager to see:
- 58 percent believe they are not a target.
- 43 percent have no Cybersecurity defense plan.
- 50 percent do not do any Security Awareness Training.
- 1 in 3 small businesses use free consumer grade cybersecurity.
- 1 to 5 small businesses use no endpoint security.
Many MSPs, and in turn their SMB clients, depend on reliable off-the-shelf software to help run their businesses. When that software is compromised, it exposes a lot of parties through no fault of their own.
“Yet an SMB paying an MSP may still blame the MSP even though the problem was with vendor software, it’s a tough spot for everyone, so MSPs have to be extra vigilante about vendor security,” Tucker advises.
The bottom line, experts say, is that the days of MSPs and their stable of SMB clients being passed over by hackers are over.
“If you run a small health clinic or even a family bakery with a handful of computers in the backroom, you are now a target,” Tucker says.
The good news, both Tucker and Hallman tell us, is that one of the most effective weapons is almost one of the least expensive: awareness training. With ransomware on the rise, MSPs will become increasingly relied upon to supply the training and defense for SMBs.
Photo: Jacob Lund / Shutterstock