Six Reasons Your Company is Not Safe from Ransomware, No Matter How Much You’re Spending
Cybersecurity is one of the biggest concerns for every business today. Hacking and ransomware attacks deliver high returns for a relatively low effort and the significant rise in revenue fuels increasingly more aggressive and costly attacks. That recipe means the cybercriminal community will expand and ramp up its activities to keep those cash streams flowing.
The processes and organizational advancement of these syndicates are astounding. Few people outside the tech industry understand the capabilities of these groups that often get support from nation-states and organizations with evil objectives. While the 24/7 news may cover ransomware attacks on multi-billion-dollar pipeline companies and other high-profile organizations, there is little if any mention of small and mid-size companies. That creates a false sense of security. Many business leaders think their organizations are simply too small to fall into the crosshairs of those cybercriminals.
The reality is that every company is a target today, and it just takes one slip for ransomware to get into the system and potentially shutter the entire organization. According to research firm IDC, approximately 37% of global organizations reported being hit by at least one of the more than 130 variants of these attacks in 2021. Many of those victims likely invested significant resources in their IT system defenses. While businesses must do everything possible to prevent these attacks, a more realistic goal today is to minimize the potential harm that may occur when cybercriminals manage to find those gaps.
Complacency is also a concern. Unlike the early days of computers, today, businesses should consider cybersecurity investments as a maintenance fee that will likely continue to grow as the threat levels rise. IT spending needs to increase each year to protect its most valuable assets, including customers, employees and data. Ensuring the security of the company’s networks and operations centers is critical, and organizations with remote and hybrid workforces may need to double down on those efforts and investments.
Minimize the Threats
Prevention is critical. While no one has come up with a 100% foolproof defense against ransomware attacks (other than running a business without computers and internet connections), anything companies can do to boost their collective defenses helps lessen their financial and legal exposure.
Cybersecurity strategies are business-critical. Building an effective plan and investing in awareness training, anti-ransomware and antivirus tools, and other proactive measures mitigates a company’s risk profile. And while none of those actions can guarantee a company’s complete protection from threats, they reduce liability and cyber insurance costs and lessen the executive team’s anxiety when properly implemented and managed.
Most IT professionals add layers of cybersecurity measures to protect networks, devices and other technologies, including cloud applications and proprietary software. It is virtually impossible to lock down every potential access point to prevent cybercriminals from reaching their ultimate target: data. Stealing and ransoming business and personal data drives hundreds of millions of dollars (potentially billions since many attacks go unreported) in income for nation-state-supported crime syndicates, professional hackers and basement-dwelling amateurs each year. One thing they all have in common is an innate ability to make organizations pay dearly for their mistakes.
Business leaders need to understand that premise and why no matter how much they invest, no company is ever completely safe from ransomware attacks. Here are some of the ways cybercriminals strike paydirt:
1. People make mistakes. According to one recent report, human error plays a role in virtually all (94%) cybersecurity breaches, including nonadherence to email protection measures, poor credential management and employee sabotage. No matter how many technologies and policies a company implements, ransomware purveyors know someone will slip up at some point.
2. Ransomware is a thriving and ruthless business. From rudimentary attacks by rogue workers to elaborate new business models like Ransomware as a Service (RaaS), this is a profitable and rapidly evolving opportunity. The reward for cybercriminals far outweighs the risks, and this community’s almost limitless creativity and cruelty should strike fear into every corporate decision-maker.
3. IT resources are limited. Even before the “Great Resignation,” the number of high-tech job openings was astronomical. The ensuing pandemic and changes in work preferences are impacting many companies’ ability to fully staff their IT departments and adequately protect their systems.
4. Management support is lacking. Effective cybersecurity strategies begin and end at the top. Executives must prioritize cybersecurity, from adopting strong policies and leading by example to investing in technologies and programs to properly protect their people and systems. Employees often discard or discount initiatives that don’t appear to have solid support from managers and other executive team members.
5. Supply chain attacks are rising. Cybercriminals understand that there’s usually more than one way into a company’s networks, including access through business partners’ systems. Ransomware attacks from suppliers and contractors are a rising concern. Recent examples include Target and SolarWinds, where cybercriminals first gained access to other companies’ systems from which they spread malware using connected networks and applications. Many organizations implement standards and follow industry best practices to vet their business partners’ IT security tools and methodologies.
6. Testing is never a high enough priority. Companies can invest a significant amount of their resources on cybersecurity yet not know if it will actually work. Periodic evaluations and adjustments are critical to ensure the integrity of every organization’s defenses. Cybercriminals are constantly looking for openings to exploit, from non-working end-point protection tools and unencrypted email systems to lax credential management. Testing helps businesses identify and rectify those vulnerabilities as well as any others that happen to pop up between evaluations.
Frame The Threats
Ransomware attacks are non-discriminatory. Cybercriminals target anything and everything, and thanks to new business models, the cost of entry for aspiring hackers is virtually non-existent today. With all of the resources they have on tap, no business or individual is safe.
The risks are rising exponentially, especially for companies that work with sensitive personal and financial data, as well as those adopting WFH (Work from Home) environments. More importantly, the decision-makers must understand that even with the latest measures, those threats will never completely disappear.
Cyber insurance coverage adds another critical layer by mitigating potential liabilities for the business. A basic protection package can also lessen the executive team’s anxiety level and assure other stakeholders that their financial interests are well protected.
Raising the cybersecurity bar is never easy. However, any cost-effective measure that can prevent a business from being the “lowest hanging fruit” for criminals is worth pursuing. With the threat level of ransomware rising and no guarantees that companies can stop every attack, leadership teams should be open to all potential abatement options today.