Startups and cyber stick-up men
How would you react if ransomware locked your systems? For many new companies it's a no-brainer: pay up — and fast.
It begins like any other day.
You sit at your desk, turn on the computer, open Slack and click your first email.
Then suddenly the screen goes black. A red alert starts to flash:
‘Whoops! Your files are now encrypted. If you ever want to see them again, pay us £10,000 in Dogecoin. You have 8 hours to respond.’
Forced to choose between your money or your data, what would you do? For a lot of entrepreneurs, the answer is easy.
Surrender and pony up the cash.
A survey of startups shows that more than half (55 percent) would be willing to pay a ransom to get their data back. Scale-ups at the larger end of the spectrum would be even more likely to pay, with three-quarters saying yes and 39% indicating they would pay almost any price.
It’s a stark testament to how crucial data is to digital business models. Only 36% of respondents believed they could see through a successful attack without significant losses.
Cybercriminals know it, and they’ve geared-up accordingly.
A study by Malwarebytes shows that ransomware attacks are up by 500 percent.
That’s because they work.
The global WannaCry and NotPetya outbreaks infected computers in 150 countries and inflicted damage amounting to billions of dollars. Multinationals like Maersk and Merck saw computing and telephone networks shutdown around the world. Government systems in the city of Atlanta, Ga. were crippled. Britain’s National Health Service (NHS) had to cancel 19,000 appointments and spent almost £100m remediating the damage.
Hackers made off with about $200,000 — a paltry sum compared to the damage inflicted — but still, not a bad payday.
Just enough businesses were frightened by the threat to make the venture profitable.
If the surveys are accurate, the criminals would get away with even more money today.
Time to throw in the towel?
What does it say about the state of digital business when so many businesses would give in to blackmail to make an attack go away?
Perhaps it's understandable why a bootstrapped or angel-invested business would feel vulnerable — their cybersecurity budgets are typically small. But the truth is that organizations of all sizes have the power to stop ransomware. Some of that power lies in technical solutions, but even more of it rests with people.
If you want to avoid having to make the decision between giving in to extortion or losing access to business-critical data, follow these steps:
- Conduct regular system backups and keep them on separate systems, or physical media disconnected from the network. Cleaning up infected hardware and re-populating information across systems will take time, but you’ll know that a viable plan B exists if a catastrophic infection occurs.
- Then build a step-by-step business continuity and recovery plan. This includes having backups ready and testing them to ensure they work, having a manual or secondary process for continuing any impacted services in the short term, knowing who to turn to if you need recovery services, and running simulations to identify any weaknesses in the plan.
- When security patches arrive, don’t wait to act on them. The infections of WannaCry that brought NHS services to a halt in the UK were helped along by the fact that a security software patch had already been distributed by Microsoft, but a number of NHS machines hadn’t been updated.
- Know where most malware infections come from. The majority find their way into systems off the back of a phishing campaign. Training employees to spot a phishing attack can be one of the most effective ways to keep ransomware out —and data safe.
Protecting data is about more than technology
It’s also about people. You have to raise the visibility of security risks across the organization, ensuring everyone is clear about company security policies, and giving employees the knowledge they need to spot an attack when it’s underway.
An effective security awareness training program is one of the best ways to ensure that everyone in the business has an appropriate level of know-how about security — and takes on a level of personal responsibility.
For some businesses, simply paying a ransom and hoping to restore operations immediately might seem like a viable option — but its hard to recommend as an approach to business continuity. Even cybersecurity startups can be vulnerable to attack.
Balancing the cost of business interruption with the cost of restoration might tempt you to submit to a ransom demand. But even if you do everything the blackmailer asks — will you get your data back?
Opinion in the cybersecurity community is mixed, but a study by CyberEdge suggests that less than 20 percent of organizations who paid to have their files de-encrypted actually got them back.
It’s a risky roll of the dice.